23542300x8000000000000000189324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:27.705{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=251163A4FFA9220A04968FF7AA9CAA35,SHA256=66D39EF7E61C0CD0F2712575E3C213010481C30FD8DBBB5BF2D3370EBC69A6F8,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000134458Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-SetValue2022-02-25 12:19:27.444{6AAC6DF5-B0B1-6218-1400-000000003802}1084C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d82a41-0xeec35236) 354300x8000000000000000134457Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:24.687{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50923-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134456Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:27.194{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D17EDF73B9D607DB31DFB355DD969D19,SHA256=EBD5731D434211F497406EB380414AD392C6B9E70539A366D2F9254F4A35C824,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000189323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:19:27.111{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000189322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:19:27.111{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006049c7) 13241300x8000000000000000189321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:19:27.111{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d82a39-0x8c5a303c) 13241300x8000000000000000189320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:19:27.111{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d82a41-0xee1e983c) 13241300x8000000000000000189319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:19:27.111{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d82a4a-0x4fe3003c) 13241300x8000000000000000189318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:19:27.111{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000189317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:19:27.111{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006049c7) 13241300x8000000000000000189316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:19:27.111{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d82a39-0x8c5a303c) 13241300x8000000000000000189315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:19:27.111{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d82a41-0xee1e983c) 13241300x8000000000000000189314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:19:27.111{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d82a4a-0x4fe3003c) 23542300x8000000000000000189326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:28.939{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9577671C5C141EEA4BF4FE55049342F3,SHA256=AFE2DDF000B5C2A50B4831E13EFAED1E9C70185214A6D65EAFB61E317740E1CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:27.570{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52618-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134459Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:28.194{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA2AA3FD2EF57A664039189CC8D9C29E,SHA256=C84C12E1DA9444D55DE2DFE18FC8F0C79254B4FB2AFE62532420F8C96C4FE9EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134461Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:26.936{6AAC6DF5-B0B1-6218-1400-000000003802}1084C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal123ntpfalse169.254.169.123-123ntp 23542300x8000000000000000134460Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:29.241{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1617E3BCC58B4920037FB1BDA08E79AD,SHA256=BEC22F8D45C18A51B99240994612DFE0B054D621AFB5D393BDAF556FE128A3C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:30.142{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D37D1E217072A331A34A7F51AC7823B5,SHA256=55BE98F43E9560B38D834A11BA46DE168B9D9493F09D5672ECD102FA8C13DF18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134463Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:30.258{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85C99397FA8AEE14609A10FA2FFE3DB6,SHA256=BE10681F2B6A19C1CAB73D2060F85E2E239992A246BBB0773EC079304A7DEFC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134462Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:30.101{6AAC6DF5-B0B2-6218-2200-000000003802}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4A396A40DE4AD844AFDFD6BFEE34209D,SHA256=ABC582D2644B8C5C1CF17206963A01B55D9A40BBB1979B03D8F2D216AA803ABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:31.251{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=947A99AABABD51DF79CA70E31BEE689F,SHA256=DA4781704D26D589833228C8B6758EA1A140F980CC58649EFF668DF9A086A33E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134465Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:29.594{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50924-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000134464Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:31.274{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F870AE2169F9A800EAC39569885C46F,SHA256=919F11AFCAA7F9C68AC22BB7DB0AE9F4668BC4FFD932079CE70E6934429D8DF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:32.267{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F4DEB056521010B3BDE8D1DD82DD873,SHA256=9ADBC4FBC505A829889F19686F9ED77BEFA56DAE5FB30E9887C2EB7CEA95980E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134467Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:30.595{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50925-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134466Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:32.289{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5C86BA6672C0543AE64629B3E19462D,SHA256=AE0349CDD9B2CD0EAB0BF88F3026F7C4A798F6308601589326127EAF9CC68191,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:33.423{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E196B3D9A5BD4F24ADC24BB78A6EB594,SHA256=74D11C73D3C4CB320D9787588A3A38D5560D9DCC95844318B80E0DF6DADC97F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134468Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:33.368{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9887E664CF1CBD4E3B44B29B3992BA5,SHA256=368B55AA70D71790464BA728A2FEF040C12676E6D6ED6701EB2AEF02A85A4490,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:32.601{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52619-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000189331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:34.455{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E029848D9007F1355F8FF752E009785C,SHA256=DF843FB36005108D0B7200042E362AF6D0EF752F6F75B62B3B10640D8A1CE2E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134469Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:34.383{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F085BD8C2CE4BB72E50258ED1CB0154,SHA256=0DA7603F16C0E445B8BC5BF412AF92DA00E244E342D5F81F8DE7173361689F40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:35.470{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99A728160A01C944DB70F80713DCDCB5,SHA256=10C049D2CD17D8FC79A5526266BC782C37EB79E46311AD6967445181BE9EEE59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134470Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:35.399{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25B12A801C259E6B04FE1D89C9610DFF,SHA256=E95712DC7A44E51AA19706B4A085C1D2665E07683C34A1A88069DB0BA5950F41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:36.627{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5904AAFFEC00925EAEC8AE429D44882,SHA256=42B9E5C1ACE2E937B950521E2FABC4D1883AA2934209B1832F0262130C280F34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134471Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:36.415{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C281523379213B47C469E7D90025BD43,SHA256=E5AED7AC30942B8EF7078E59F5D3CFB707024061BD6CC764916A8FD41DD3A351,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:37.658{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBEC16D940FED7BF136C5EA665C130E8,SHA256=CB14B8715FF8CD79DC791C7EAAEE5CD1C6E1DB1480AE6B344B94CFD3A3DFDFDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134472Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:37.430{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F078773A5DB9AAE68D6676C0F0DDCE43,SHA256=5B5CE2DB273992BB5F650E7D91F20CE71E960F5AB8386C57953C8802F729B9E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:38.752{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E3273E45CB837251D5175F3302D2305,SHA256=2C3AC80291F1D329A60B5A5C0F87C4797DA46C1407669A7931658DD639DB84A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134474Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:36.610{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50926-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134473Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:38.446{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97AB75FCA91051BC584FD1435A0CE3E6,SHA256=74CDA516D50A0334813888EDA10176B6280C7AFCC7B39A22AED61DD93BD98A4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:38.470{414E8EDF-B0BE-6218-2900-000000003702}2792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4A396A40DE4AD844AFDFD6BFEE34209D,SHA256=ABC582D2644B8C5C1CF17206963A01B55D9A40BBB1979B03D8F2D216AA803ABE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:38.555{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52620-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000189338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:39.830{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B8FC16BAE895DC05D3171C2D3811E74,SHA256=D43A8ED477F29DAF76B49545D1E655637A5432CEF2CAAE94F5522D887497A559,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134475Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:39.461{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E90BFA307B6B48E4ABB907F920BBF4A,SHA256=16648D4781FB57F7CD3613E0A82160E713E402F297FE387602239D51DE8046B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:38.961{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52621-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000189340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:40.845{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC5B1C6CB58A055932650B2695B66B07,SHA256=179CB8C184B4F8DBF3612418622844456C21BAAC5477AA52DAD6CFC9E1CA3AB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000134489Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:40.665{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-C95C-6218-7403-000000003802}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134488Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:40.665{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134487Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:40.665{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134486Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:40.665{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134485Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:40.665{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134484Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:40.665{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134483Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:40.665{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134482Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:40.665{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134481Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:40.665{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134480Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:40.665{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134479Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:40.665{6AAC6DF5-B0AF-6218-0500-000000003802}424440C:\Windows\system32\csrss.exe{6AAC6DF5-C95C-6218-7403-000000003802}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000134478Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:40.665{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-C95C-6218-7403-000000003802}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000134477Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:40.665{6AAC6DF5-C95C-6218-7403-000000003802}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000134476Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:40.477{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC940913A0812DA305F54374ECD46A56,SHA256=0681EC70897227815F8ECDDF742EE5D90D75086B90576B57A8EA923BA8D9A00C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000134519Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.962{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-C95D-6218-7603-000000003802}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134518Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.962{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134517Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.962{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134516Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.962{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134515Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.962{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134514Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.962{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134513Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.962{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000134512Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.962{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7EFB964812328CAD23502CECFA0A2B78,SHA256=BCD64946F7B15C3357E885715734820B494C7DA08CCC74348335E4907DBF3041,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000134511Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.962{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134510Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.962{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134509Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.962{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134508Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.962{6AAC6DF5-B0AF-6218-0500-000000003802}424440C:\Windows\system32\csrss.exe{6AAC6DF5-C95D-6218-7603-000000003802}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000134507Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.962{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-C95D-6218-7603-000000003802}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000134506Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.964{6AAC6DF5-C95D-6218-7603-000000003802}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000134505Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.962{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7576B15BECB23F8D17CD700D87810FA0,SHA256=9032C787204E4765EF59E99BC5B46B2C222D775EC7F5750EF83D9B951CE33B2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134504Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.962{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCA4185D12A60BEE5AF0D5CDA152C096,SHA256=BB5DDF5DA6BCC663FC0E676129D084907BB3621E5207F1D58013DBDEC9F2B223,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000134503Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.493{6AAC6DF5-C95D-6218-7503-000000003802}27363360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134502Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.337{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-C95D-6218-7503-000000003802}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134501Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.337{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134500Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.337{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134499Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.337{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134498Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.337{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134497Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.337{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134496Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.337{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134495Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.337{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134494Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.337{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134493Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.337{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134492Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.337{6AAC6DF5-B0AF-6218-0500-000000003802}424440C:\Windows\system32\csrss.exe{6AAC6DF5-C95D-6218-7503-000000003802}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000134491Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.337{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-C95D-6218-7503-000000003802}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000134490Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.337{6AAC6DF5-C95D-6218-7503-000000003802}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000189342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:42.066{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B4DE742A29F26B85EDB1BC414D0AE59,SHA256=89A1D0A7CE94809D6B4CF1816DC8A1CA41749A0FF0F1911B61878506BD5A64FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134521Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:42.993{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7EFB964812328CAD23502CECFA0A2B78,SHA256=BCD64946F7B15C3357E885715734820B494C7DA08CCC74348335E4907DBF3041,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134520Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:42.508{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABBE2D9439B549206F5CC9024E216C0C,SHA256=9F45C20DAC908E25253A7D8F20023C656C0998149707EA4FF81F826D3735DE92,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134523Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.658{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50927-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134522Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:43.508{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F4BD6590DA6FEFD05B8157B8037B61A,SHA256=2005AE949259D112AD3B81250C7CAFB623E23E48DA05FBBBD42715DBD218DAA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:43.097{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02362AED39BD94714F749784DD484BD6,SHA256=A91A9371DC4E6ADEEDC45A9578FDBD454CEB1AE4CE4B614AF6A45504765BEF05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000134538Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:44.852{6AAC6DF5-C960-6218-7703-000000003802}32003140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134537Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:44.712{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-C960-6218-7703-000000003802}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134536Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:44.712{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134535Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:44.712{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134534Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:44.712{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134533Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:44.712{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134532Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:44.712{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134531Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:44.712{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134530Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:44.712{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134529Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:44.712{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134528Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:44.712{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134527Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:44.712{6AAC6DF5-B0AF-6218-0500-000000003802}424440C:\Windows\system32\csrss.exe{6AAC6DF5-C960-6218-7703-000000003802}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000134526Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:44.712{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-C960-6218-7703-000000003802}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000134525Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:44.713{6AAC6DF5-C960-6218-7703-000000003802}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000134524Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:44.524{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C1B04100A50363929818973A2555D4F,SHA256=F3196392EA69B879954BDD5D3233BF2A3114532A240FACF32D33E7EB752B535C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:44.112{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9C39C6AABD2CEF25804CEFC3C487E7F,SHA256=140D919DB66A6814B43348B6A921DD9B28192693F80EC92CF4E1E905C2D3A89E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134554Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:45.852{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC7266E643CA06B22A6A607B5DAF6128,SHA256=3D0D7C6324324417B7AF625D79902BBC67138255ADF02D70E8B3977A59D1320B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134553Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:45.852{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=559F5AF9AD037E5311741746F842FA98,SHA256=AC3CA2BB5EE6B269688C30AB9B10048F547A6D30C98F2556290D08EAD5B8B22D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000134552Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:45.540{6AAC6DF5-C961-6218-7803-000000003802}32923372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000189346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:45.222{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D346ACE7A261A9F10A9EC2AC524893E,SHA256=32AA38479099437FB71204C93B680437C9EFEE4920370755CF0681D8623138D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000134551Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:45.384{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-C961-6218-7803-000000003802}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134550Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:45.384{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134549Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:45.384{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134548Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:45.384{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134547Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:45.384{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134546Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:45.384{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134545Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:45.384{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134544Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:45.384{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134543Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:45.384{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134542Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:45.384{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134541Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:45.384{6AAC6DF5-B0AF-6218-0500-000000003802}424440C:\Windows\system32\csrss.exe{6AAC6DF5-C961-6218-7803-000000003802}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000134540Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:45.384{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-C961-6218-7803-000000003802}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000134539Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:45.384{6AAC6DF5-C961-6218-7803-000000003802}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000189345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:43.728{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52622-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000189395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.487{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF7128822648F0279EE71ECCE655D4E,SHA256=611DBD291291A9BE91F60826E68E87AB8B5A9A4561A718453FEB291CE4753B3B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000134568Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:46.884{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-C962-6218-7903-000000003802}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134567Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:46.884{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134566Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:46.884{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134565Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:46.884{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134564Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:46.884{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134563Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:46.884{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134562Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:46.884{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134561Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:46.884{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134560Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:46.884{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134559Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:46.884{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134558Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:46.884{6AAC6DF5-B0AF-6218-0500-000000003802}424540C:\Windows\system32\csrss.exe{6AAC6DF5-C962-6218-7903-000000003802}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000134557Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:46.884{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-C962-6218-7903-000000003802}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000134556Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:46.884{6AAC6DF5-C962-6218-7903-000000003802}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000134555Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:46.555{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CCB06696009E4CF5101B142C612B3FD,SHA256=3E5A5087A45B4A980087C12CE484DF913C6DB86880498115BCD94507A3C4870B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8A00-000000003702}4764C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8A00-000000003702}4764C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8A00-000000003702}4764C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2700-000000003702}2764C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2700-000000003702}2764C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000189396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:47.550{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2607D15376938736ADA4565DED51C9E5,SHA256=7356DC79CE9D2767649FAE06334774501695266653ABA3D4A48B77C6A5A0F4AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134571Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:47.899{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7DB62E7BABB33BD7D383CA2F6C2588C,SHA256=5B810D72918897C965C89CBAD864CC37686BD46FF112005AE7F9D926D5986094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134570Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:47.571{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38B2D9E24C1D8A21FB00E40C2504B601,SHA256=97E7486D801CE88084037A36DC9D3AB707D5DA823916AD3BFD68DC2ADF7ABDA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000134569Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:47.040{6AAC6DF5-C962-6218-7903-000000003802}30523236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000189397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:48.581{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0563EAB4F71C5A823C01C941C2EFF9B7,SHA256=CF42887B1CDD43DCEF9624C150371828BF5E806B77239B3825EF9A7056A2EEAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134585Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:48.587{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C623D5B4ED5742FF7C6A41E52A25583,SHA256=EF7D54964E096A410CA5D34230FEE8F4E40D661187A571E8F51E86EA2C1E8384,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000134584Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:48.290{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-C964-6218-7A03-000000003802}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134583Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:48.290{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134582Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:48.290{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134581Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:48.290{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134580Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:48.290{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134579Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:48.290{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134578Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:48.290{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134577Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:48.290{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134576Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:48.290{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134575Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:48.290{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134574Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:48.290{6AAC6DF5-B0AF-6218-0500-000000003802}4241012C:\Windows\system32\csrss.exe{6AAC6DF5-C964-6218-7A03-000000003802}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000134573Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:48.290{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-C964-6218-7A03-000000003802}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000134572Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:48.291{6AAC6DF5-C964-6218-7A03-000000003802}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000189398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:49.612{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A261131C3DDD2BD1A6D04CB418E1CAF8,SHA256=2783C04DECB5A31908ED8188873765057992610CAF46946F6DCF55E90F67F0B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134588Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:47.563{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50928-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134587Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:49.594{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D72DD7C8A468768E6437FD78EC503465,SHA256=DE9DB89B38DED939F17ADE8C0296E3B6D3C75006B6E4EC1C8A855F65B1FE167D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134586Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:49.321{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C727CB870568E9099618EC59F7A40C9A,SHA256=68B4AA5351812C9A40F5A74281D84085A57C368A38377EF015D58A4A814EBC87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:50.815{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-C966-6218-C403-000000003702}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:50.815{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:50.815{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:50.815{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:50.815{414E8EDF-B0AE-6218-0500-000000003702}4165324C:\Windows\system32\csrss.exe{414E8EDF-C966-6218-C403-000000003702}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000189410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:50.815{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:50.815{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-C966-6218-C403-000000003702}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000189408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:50.816{414E8EDF-C966-6218-C403-000000003702}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000189407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:50.800{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85BDA19F9B044B7D572460FE1C9F0B2A,SHA256=1EE88A55571DC208B60C3F7AB5FFF2B41EA8AB1BACA971900B66089E0C0F928F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134589Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:50.602{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2141094B082A4C212F9D080FEE34867,SHA256=368BA97E5B7C9A075165A1E2209D1D5252D036EA3FF5E9048AD9CFB3D37E373F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:50.315{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-C966-6218-C303-000000003702}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:50.315{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:50.315{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:50.315{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:50.315{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:50.315{414E8EDF-B0AE-6218-0500-000000003702}4165324C:\Windows\system32\csrss.exe{414E8EDF-C966-6218-C303-000000003702}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000189400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:50.315{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-C966-6218-C303-000000003702}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000189399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:50.316{414E8EDF-C966-6218-C303-000000003702}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000189436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:51.894{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C04FE3409507522B277E9EB2AA95D1C,SHA256=32D691A1BB67CB0CB700B65451E06647B4908191D424F0ED1253B659C215A487,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:51.894{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-C967-6218-C603-000000003702}360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:51.894{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:51.894{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:51.894{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:51.894{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:51.894{414E8EDF-B0AE-6218-0500-000000003702}416532C:\Windows\system32\csrss.exe{414E8EDF-C967-6218-C603-000000003702}360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000189429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:51.894{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-C967-6218-C603-000000003702}360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000189428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:51.895{414E8EDF-C967-6218-C603-000000003702}360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000134590Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:51.618{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92F04850FFA4D5CE83CC55D223399D5A,SHA256=E6BB206F479C371CA5188A4AB34A996DDB5659C5653C10FAA6A31807CE7C704F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:51.628{414E8EDF-C967-6218-C503-000000003702}47443336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:51.394{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-C967-6218-C503-000000003702}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:51.394{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:51.394{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:51.394{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:51.394{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:51.394{414E8EDF-B0AE-6218-0500-000000003702}416372C:\Windows\system32\csrss.exe{414E8EDF-C967-6218-C503-000000003702}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000189420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:51.394{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-C967-6218-C503-000000003702}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000189419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:51.395{414E8EDF-C967-6218-C503-000000003702}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000189418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:51.362{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64B24BFA95201EEDE99FFD3E0C2C3A31,SHA256=2DFA0EE258AAE4017B9D5EC51EE63C31243B5CC3438415AD14FAECC01F19198C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:51.362{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0562F8A4D44AFCF06E2FA694780D2EC8,SHA256=048A2F1E2301464879CFFAE2BE96182184C39B14F5A31C1FF4D6D84F959A90EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:49.665{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52623-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000189439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:52.940{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6984D4B2A4C7EC77934738D148072ED,SHA256=D04A5B05D95B805E79A877E5DF8BF7304CAB085EE8A2323EACADE4F6BAA5D43F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134591Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:52.618{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01F08A890BA240DA42CEEE0118032876,SHA256=835A94573AE0B17820E1BA50B32ACFAE07BC53FF9A72EA949F4813D521B93EE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:52.425{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64B24BFA95201EEDE99FFD3E0C2C3A31,SHA256=2DFA0EE258AAE4017B9D5EC51EE63C31243B5CC3438415AD14FAECC01F19198C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:52.159{414E8EDF-C967-6218-C603-000000003702}3601932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000189458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:53.956{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1AB4B62152A99CC9A7A481E399BAB44,SHA256=89F964E2F079FD1403D95BF964AE50BEF26F6204E44835C7A00251D6ACB80E2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134592Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:53.634{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46372107FECA159046AC1CA5DE94214D,SHA256=A3A39A794AF8BA623B6744E29ACF2F5C39A744B1BC528ED1E63B606CEF678F9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:53.659{414E8EDF-C969-6218-C803-000000003702}59765532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:53.503{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-C969-6218-C803-000000003702}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:53.503{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:53.503{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:53.503{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:53.503{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:53.503{414E8EDF-B0AE-6218-0500-000000003702}416532C:\Windows\system32\csrss.exe{414E8EDF-C969-6218-C803-000000003702}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000189450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:53.503{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-C969-6218-C803-000000003702}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000189449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:53.504{414E8EDF-C969-6218-C803-000000003702}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000189448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:53.222{414E8EDF-C969-6218-C703-000000003702}58484652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:53.003{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-C969-6218-C703-000000003702}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:53.003{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:53.003{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:53.003{414E8EDF-B0AE-6218-0500-000000003702}416432C:\Windows\system32\csrss.exe{414E8EDF-C969-6218-C703-000000003702}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000189443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:53.003{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:53.003{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:53.003{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-C969-6218-C703-000000003702}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000189440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:53.004{414E8EDF-C969-6218-C703-000000003702}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000134593Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:54.634{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB95F2C6F1FE592E49371CE9B43806AE,SHA256=F350CDBC8F6E890CC75316EBF9CEE92A4720854E6755A3DA2C26C347204AC36A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:52.868{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local52624-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local389ldap 354300x8000000000000000189460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:52.868{414E8EDF-B0BE-6218-2B00-000000003702}2820C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local52624-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local389ldap 23542300x8000000000000000189459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:54.034{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C672236B6767E9E82F953BE6A97CE538,SHA256=3D7420A76AF5ABCF3D596AE728E5FB8B695C7B911D18080897704F7DC827FF14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134595Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:55.649{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F9DA75E0379DB0D170A50243BF2E3F0,SHA256=8A4788AB0D7E1CB4084DCFF81E5D430F9394E4ECA2DCDD4A87A617295DC09E39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:54.987{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FA82718E2CDC7976D071B30F391C086,SHA256=6DF39EC72AEFF24A55E02D06EE712C34E79352FF7C02D1CBAC014105F6C37BAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134594Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:52.610{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50929-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134596Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:56.696{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23576C7A3F5D925769C6955BC8424E33,SHA256=5EEAF2BAB2541A5CDA579E3E6604D405A2C0E5D14A65F23ADD26B77544E41CE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:56.987{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-C96C-6218-C903-000000003702}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:56.987{414E8EDF-B0AE-6218-0500-000000003702}4165324C:\Windows\system32\csrss.exe{414E8EDF-C96C-6218-C903-000000003702}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000189469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:56.987{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:56.987{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:56.987{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:56.987{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:56.987{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-C96C-6218-C903-000000003702}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000189464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:56.988{414E8EDF-C96C-6218-C903-000000003702}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000189463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:56.003{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53B8E57B5B6F61A29DC558DC547E445F,SHA256=244D15A354AFB9172103FEAFD52BB7469DD55C3F46A2CC13D46BB2CCAAB49FB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134597Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:57.743{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA7A4B5EC6A0B183FDD4A45F6EFD55C0,SHA256=795ABD440C5E94C746900A4BD570C053FD4328EC30A0FBC818C65DB53422386B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:55.618{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52625-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000189472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:57.019{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A58B1698168DBFDDCC5977EA4E66EF5,SHA256=4F5C1E92098CE7E2211304ECE7122DBA6EB623ADB14DC23162BFBE7FDB60825F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134598Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:58.759{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44CBDF89DBA07AA73DE6941DF796A14E,SHA256=9B7A6E79215957DC38AEAFA3FE2FEDE1FD81AC674B76E523EF00F00D435C42BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:58.066{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A17CA6C60684A491F7D7AD9EC747186,SHA256=181F470B274FD5F04EE7A3CE289DC98F7B0731050EF976A8F6B9E8FDE53B9F37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:58.019{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93B025B37D989B5517C81CB63E6948D8,SHA256=A679C9967CCA03D2962881CF47A253366288932DE1C3054E05B51D49BDE482D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134599Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:59.790{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16FF0C8B3FB8B6C78213744A48DEC20F,SHA256=37D6445FA06EF6567F034979BA13CBE6F865A6C707EF2EA7EBCDA4F23AF0827E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:59.097{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51CDD045E78B9B6E187D7D06B1067F8E,SHA256=FDB495DF800F5E993917B289AE0EA43427A14685CB1E74106735A941BCB3F136,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134601Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:00.806{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=147089CC78D6476E174B5FE5EF767A81,SHA256=3540D67911BEB08F17288D51EFC3FA1B29D70E9323A05FCC4D90B4DBE4FB1A3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:00.144{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CAAC56D3E6779A2518873A969D989B3,SHA256=0F00C9A6507A7D9F398B6FE59CC3EA6AF599FF7B460B27D5716E08C0D8789C86,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134600Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:57.673{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50930-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134602Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:01.821{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=334E97F647E018573263B539AE91FEE4,SHA256=DAC78EDF370BA92065681DB880C48768524E845F029D6D239E29A38DA493D4EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:01.159{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14791B63559370B933EC7288C7ABFC8C,SHA256=E5F03A1B7B1B303623219C5BB9989DEF38FB5D199EFDF3DAF5F6BAD1E49BB4BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134603Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:02.837{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB4EC5D1EBD193E37BAC80BAD8609A9B,SHA256=92FC339363E81D89AC398C8F7AC2679014006A0B65570F6A6A72C7FC60BD98B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:00.650{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52626-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000189479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:02.160{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD2D6D3BCF008D883B7770BFD3835803,SHA256=8E62A853FCCB26F47A0DDFC6F5E4F4272D951862E6D7942E587256DEBB616F0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134604Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:03.853{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B14A2FF7AE790192030DACBFEB517B7,SHA256=E45D21D4183D9AD692D2E4F22EFA20ACA34C509CEAF5111363A2D83F0623B0B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:03.237{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07F75FB4F8B820AA92EDC4E0649D72C8,SHA256=8E2F88A6115086F0A983E79730E8FF31C1AC52A807FFD82F1DC434E151FE4342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134605Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:04.868{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C652412C9F4076AEFC2C687654E59010,SHA256=B6C9A240379733FCD1BE159C4A12ADDDDCC9C145B760A8FB791534A349CD7884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:04.237{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0DBD3640294B0F34D8DC4873A088998,SHA256=F3181792A26130E20EBDE25FD9C6EF446ADE224619270FFDF1CD1BC6CBF69668,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134607Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:05.884{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFCF5CC01CBE58CB6947CEC95AAB4EEA,SHA256=AD5B0755324734EC93719A7DAAB5CE0B8498A44C09FAEFBAC56656486DB3DC56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:05.269{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DA94DA25629B477C6E8DD0BFF563871,SHA256=2A133489C6DA0768A4500810A4571AEBEFF287990F26F3251948B09B07C5175A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134606Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:03.657{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50931-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134609Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:06.962{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F39759D0B3258A21FA6BB6E4F2153F00,SHA256=B2FD9318599504ACE9F8DF657873C6D620A7FDE625AE06497C074902632DB057,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:06.503{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38D41291CA100F6D006DE3B5DE76EE23,SHA256=C7213AF478833B6D659AEB778C37CAFF7B905A62698EF471A410D476EE9F142C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134608Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:06.042{6AAC6DF5-B0B2-6218-1D00-000000003802}1952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d7ccee276d30a4b6\channels\health\respondent-20220225103429-102MD5=FBD42F5F8AA0DC0DD6067820063FF10B,SHA256=AAA41009555F09EFB0ED817562D7125DD50A33AE671816E82835424EE5CAE232,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134611Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:07.977{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DA6EC0BFD25B16D4B774A6F9BB289D8,SHA256=F85D8A296AD16E9DE3B2AFF707067A221AFA38C4FCA5F61C264D4A8E7E6D8489,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:07.800{414E8EDF-B0AE-6218-0B00-000000003702}632804C:\Windows\system32\lsass.exe{414E8EDF-B0B1-6218-1400-000000003702}972C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000189485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:07.534{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50AD42B9A4D2ECF88720DC16AA16E96D,SHA256=DC9836A651E85EBE8B92E242E7C414CE95194DF03E6FAB75E1BAC36CF43D9796,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134610Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:07.057{6AAC6DF5-B0B2-6218-1D00-000000003802}1952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d7ccee276d30a4b6\channels\health\surveyor-20220225103427-103MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134612Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:08.993{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCE8C858B9485D7574A2BBAE1C740C26,SHA256=DEDDEF3623F3FF759F3C22938741E0E50C09F6A4319B0204E5DE15FCBAE5B7B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:06.650{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52627-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000189491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:08.550{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F87997C9AFD5B382011546DEDDECB57,SHA256=39818ADE4389EAD1CF530E837068F0569579171A26ECBE7311F3A838C7CF47B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:08.206{414E8EDF-B0AE-6218-0B00-000000003702}632684C:\Windows\system32\lsass.exe{414E8EDF-B0AB-6218-0100-000000003702}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32475|C:\Windows\system32\lsasrv.dll+302fb|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000189489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:08.206{414E8EDF-B0AE-6218-0B00-000000003702}632684C:\Windows\system32\lsass.exe{414E8EDF-B0B1-6218-1400-000000003702}972C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:08.113{414E8EDF-B0AE-6218-0B00-000000003702}632684C:\Windows\system32\lsass.exe{414E8EDF-B0B1-6218-1600-000000003702}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:08.097{414E8EDF-B0AE-6218-0B00-000000003702}632804C:\Windows\system32\lsass.exe{414E8EDF-B0B1-6218-1600-000000003702}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000189501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:09.784{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8CB7E91482011826CE08F6EC168AD3F,SHA256=301AF6811442164396E05E04A8B71ACA3065F03CC1BCD090A29F4E8AD605B7A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:08.623{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52630-false10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local389ldap 354300x8000000000000000189499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:08.623{414E8EDF-B0B1-6218-1600-000000003702}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52630-false10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local389ldap 354300x8000000000000000189498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:08.608{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:5147:9304:4b1c:595fwin-dc-tcontreras-attack-range-478.attackrange.local52629-truefe80:0:0:0:5147:9304:4b1c:595fwin-dc-tcontreras-attack-range-478.attackrange.local389ldap 354300x8000000000000000189497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:08.608{414E8EDF-B0B1-6218-1600-000000003702}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5147:9304:4b1c:595fwin-dc-tcontreras-attack-range-478.attackrange.local52629-truefe80:0:0:0:5147:9304:4b1c:595fwin-dc-tcontreras-attack-range-478.attackrange.local389ldap 354300x8000000000000000189496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:08.314{414E8EDF-B0AB-6218-0100-000000003702}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:5147:9304:4b1c:595fwin-dc-tcontreras-attack-range-478.attackrange.local52628-truefe80:0:0:0:5147:9304:4b1c:595fwin-dc-tcontreras-attack-range-478.attackrange.local445microsoft-ds 354300x8000000000000000189495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:08.309{414E8EDF-B0AB-6218-0100-000000003702}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5147:9304:4b1c:595fwin-dc-tcontreras-attack-range-478.attackrange.local52628-truefe80:0:0:0:5147:9304:4b1c:595fwin-dc-tcontreras-attack-range-478.attackrange.local445microsoft-ds 23542300x8000000000000000189494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:09.128{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6616E22E64564226A69578B1FD09789E,SHA256=6E785D417AD61D14C6DA6FB09ADB527B0B2946CA615FFABB3FC44AD414924044,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:09.128{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D05A2706096DF6C54CB14CF71172A2DB,SHA256=5BA28762C1CB45DCC72F53DFDD9BC8FDB404219BA5CC6581E9067F2E6C00B171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:10.863{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC9E73B50B26DF562AA58739627CE61D,SHA256=A6D77DD6A79BA4890A90689C06EB7F7D177FB7FC700BEC0EE6FC630594E12544,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134613Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:10.024{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A99947EDDF010C22852088FC1BAC118,SHA256=382553DE8441680D7492D230EF387451A58321396B3CC29BE10EB5177DDD9C8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:11.941{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48E5F2A0D388A155CC199BFA69683E65,SHA256=DE42A42D2A8F0CCE82800281588B964B9FE4B3C8500952E4E2C8C97CD6491CBB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134615Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:09.673{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50932-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134614Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:11.040{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=121088D21AE237DE67A2B0BFAE6319C4,SHA256=170ED0A9694C23B3F4E158E1C2A9424BE7192E65CB6193D31BBD3F37E46079C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:12.941{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D96C70CE58C000D3CB6F93166C38964A,SHA256=543B258B90F12D07CB641899CF37BDC16901652810AD1E1469A1E1269888F55F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134616Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:12.087{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E24DB006B5D270AE13970F969BF9CE2A,SHA256=2E29F2932629FDB5296A8CF872DB888BD8D10D5E71B8F4E5447CAB53C15391C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:13.956{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02C77C4B3BDC3C8D366C1A22FC0B0FDC,SHA256=59CD00BCA16D18BFC1F56E78AEBDE5275E2BDB1422065D0182BC6DFE878062F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134617Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:13.134{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D63FCFBA8F6FA617145BDF6FFB79E906,SHA256=2D458FC6910A21337F3D7DC77563F72C2F8161EFB47B3921D1C25F4226A2518A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:12.602{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52631-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000189506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:13.066{414E8EDF-B0AE-6218-0B00-000000003702}632684C:\Windows\system32\lsass.exe{414E8EDF-B0B1-6218-1200-000000003702}500C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:13.066{414E8EDF-B0AE-6218-0B00-000000003702}632684C:\Windows\system32\lsass.exe{414E8EDF-B0B1-6218-1200-000000003702}500C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000189510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:14.972{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D268B943C57D1059115018C4FA29F400,SHA256=820433EF682BF3B16E06849EECD05F0115F6AC95D88DB19E4177B8D4FBA1B5A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134618Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:14.165{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F22DA34E081D670162D18B450BB9709,SHA256=E80BFC52F2D55BF251F09D532CB37335D453B0E12E12748A477695D06B659E95,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:13.574{414E8EDF-B0BE-6218-2A00-000000003702}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local58956- 23542300x8000000000000000134619Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:15.181{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=013A4436552796EBDC5E3E635CAE4FF7,SHA256=37DC184FD433C9C94A497795D25E59209DBE7379154F13B6948C9506DF175658,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134620Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:16.196{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAA80E5B9DECBC3F5B3764702E32E83A,SHA256=3C82CC42F8FF88C447ADCD2149970A9CB5FA38165A975A39F295E7769A50D6A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:16.836{414E8EDF-B0BE-6218-2400-000000003702}2716NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0cad71091a725587e\channels\health\respondent-20220225103441-102MD5=E961008872A85D9E7B2EDCDB9076BE5A,SHA256=4C7B4263F3F8553ACCFCCC53A0FA56737D447810FFCB4A43A3BA8D688A9FDFED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:16.003{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=241DDF8EE689C46AC934F3AEFC3108B8,SHA256=2EB44C22DFCB82EE7CDCF7F433DD8EA051F5FC5BE47E2FFC12F0DA28B22B660A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134621Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:17.228{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CF6C9B39056176F561A23343C6EB973,SHA256=D77037D10ED29CB6882B3E2AAAC629450FA6C0192BC9E6C03394E113CF50BF64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:17.838{414E8EDF-B0BE-6218-2400-000000003702}2716NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0cad71091a725587e\channels\health\surveyor-20220225103439-103MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:17.008{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D16453F098ADDE3D2C54B29E959519D,SHA256=B1FEB6E30EFA3E85C59D10A2BB6CAC2638270C2B13FCFF6F649BEA048C384BBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134623Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:18.259{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F804AD0BA71440DBF47202556D5BFDF,SHA256=25F976C5C716E623588E40C60D6556FC8911A862229FA4A72BCFF9787E437A68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:18.022{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FB7F133C933A41C53075C0B471082EC,SHA256=9F8064240A3B283A5D601660B8DD2C39625A25BD86797204155B33676102129B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134622Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:15.656{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50933-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134624Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:19.274{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6D30113E11C524C47B5135310393CC7,SHA256=5446498821F60DB44F02F260B300ACEA2B287BF74E76BD0C82B274DE75071146,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:18.590{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52632-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000189518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:19.822{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=391BCADA9FA2580BE03EF0BF0A51D65D,SHA256=507434BBDFC93F686B865717F70CECF4CD8B337C22FFD8275CD239F3534AE588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:19.822{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6616E22E64564226A69578B1FD09789E,SHA256=6E785D417AD61D14C6DA6FB09ADB527B0B2946CA615FFABB3FC44AD414924044,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:19.025{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E1CC49BC77FC6F8FD525B999B9522D1,SHA256=AFB31A0C7F912B48B58A719E9BEA66A74AC1FA5AB72533AF4B257757096FA05E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134625Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:20.368{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C710C546EEF161E8D34A71AFE4E5E0D5,SHA256=113F6F37083B0B1EFA847A85AF8EA7670891AAE4F4D66AB97DA7D3077E4963BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:20.041{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0D2C570725B2A25A0EAEA49F77A6A07,SHA256=BF088DE87AAE07AA55EB152851C729ABC7F64465E2AB9D7CFDB73FB43310BBF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134626Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:21.400{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D0C67EF8A90719FBB4BC1D4BDDF0823,SHA256=39AC2F8B6E2FC3FEE7AB51D19F8DF38D1C7A142BD21946300AEA9B60A8BF6169,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:21.057{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7F726FD69CBBBB070E42C4352B619D2,SHA256=79020D898DFE911E95EC7C3F3B2DD7B286BD7A7E896093B62D1C38B5699EECF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134627Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:22.446{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=478E366DAFBA29820262F71A4B4FAA87,SHA256=6763A19A64358F700014DA60AFD657D076E9349C9C74B7E959D7959F72037197,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:22.057{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ABBA68A30A47C302D4E89F1F8903CB7,SHA256=D64765BB6AD194C222D65EAC4BA9483E4A680093C101C5D050CFBA9A55366B52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134628Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:23.462{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CBEED983ECEB3A551B6294F5EA9F18A,SHA256=2C5718623ECF70A607DF443E49A580841C8DC824D33156AAEB7ED2C1C6614CEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:23.072{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9072C6BB7263798E676B0E000D75DD5A,SHA256=537C7442968444FE937FFC74B8900B57FA3F08BB9709A7CF168C1E31337A11DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134630Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:24.493{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FC677070A3416BD2945B00482041928,SHA256=EB0A19F727CC7F7F382EB24CCAEA148C5C4EBBABCF08989271FF3B724C21BD9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:23.593{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52633-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000189524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:24.088{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=917FBE4E0D36C1E866F962251778A31A,SHA256=70C673133C7F1116A06F328AC78FFC3705441FEA34A8AAACF62BD4529AAE9DBA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134629Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:21.656{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50934-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134631Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:25.509{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98BE3688A17ACBA8B4B8B73A8F6BE561,SHA256=47A4E86B674DEB5D2A97E64C5EFB140C40B9C13597D121A9ED56ABA98E51B28C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:25.494{414E8EDF-B0B1-6218-1100-000000003702}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1D1F70383802748080B012B698309306,SHA256=536EFA742A1BA0A40386D4F47D55259106C002D7E24795E09670CA13B85851D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:25.088{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A4586B0A73D6C29F1ACE091F17A651E,SHA256=4C47D2AF71F596E18F5D6EEF7BE6BA882FE556566BAC654D05B06293A8D2B79E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134633Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:26.790{6AAC6DF5-B0B1-6218-1300-000000003802}108NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=18F81E47B794EAA57CD5589514AFABAE,SHA256=58C06A85ADD36B61B968070C0B42DA13448E383DEA4AC4A8364A8181E7D4B8E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134632Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:26.540{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D8731184D842FBC5C4293C04FDC6C2B,SHA256=3C710597C00480FBBE8A8DA516484B32B4D064FC47653B8364AB8CE4FEF7FA5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:26.104{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19ED348D5A1B5A676FA800A2D44B4DE6,SHA256=6B48F5678FD2FFE339696991341072CB089DB6F7481C98AF6D2069B60B02CFD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134634Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:27.572{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0404C8AD09F103C7663755742B7C89CA,SHA256=A2EA6381D5DF1FB7B10844315398D4171894A13242878C8E3335A5A6A45CE413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:27.104{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BDE34823FF5AC6D0EE0017762BA12C1,SHA256=38F59A2798ABE385D5F3C22DCF3A8E9174B6208E748B9AA4A0C2576A784F7C62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134635Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:28.681{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFE52E3AFD1F5BF1291A3C814F10F92E,SHA256=FF4911E1A80192B89710FBCF660178B2EB19390077C035842367F8A9CD9D6C07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:28.119{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C76FED0917AFCF02C48BB3A149557EFF,SHA256=BBC37881A4EE4AECADB1C750D95624269E7C48AFA87D6070A63BD2FC9A57DCD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134637Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:29.759{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BBBE1D73461745BFB5225479F60B022,SHA256=D3E7FA0BE34F580DA5FE120B71A33303EFD7DD82C4516A90D53D5BA167024A79,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000189536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:20:29.479{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\6FC0DF5C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_6FC0DF5C-0000-0000-0000-100000000000.XML 13241300x8000000000000000189535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:20:29.463{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\5AC55B93-C186-4CC0-9DA1-B24F3F6A7ED5\Config SourceDWORD (0x00000001) 13241300x8000000000000000189534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:20:29.463{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\5AC55B93-C186-4CC0-9DA1-B24F3F6A7ED5\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_5AC55B93-C186-4CC0-9DA1-B24F3F6A7ED5.XML 10341000x8000000000000000189533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:29.463{414E8EDF-B0AE-6218-0B00-000000003702}632804C:\Windows\system32\lsass.exe{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:29.463{414E8EDF-B0AE-6218-0B00-000000003702}632804C:\Windows\system32\lsass.exe{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000189531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:29.135{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75BC3DD47B250AFAD433B110553BABD9,SHA256=412E08A1B19089446F83650B8499744616EA1743D3F363A52FD50686BC04519F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134636Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:26.719{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50935-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134649Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:30.759{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56BDFF93E44FCC81FE3A63CA1D6A0023,SHA256=34FD28C0BE5232663600C8A373804424587CF2943575C0264118138E2F2F9A15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:30.322{414E8EDF-B0AE-6218-0B00-000000003702}632436C:\Windows\system32\lsass.exe{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:30.322{414E8EDF-B0AE-6218-0B00-000000003702}632436C:\Windows\system32\lsass.exe{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:30.322{414E8EDF-B0AE-6218-0B00-000000003702}632436C:\Windows\system32\lsass.exe{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000189537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:30.135{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E86C4EF03C1789043D3860F59EED5A6A,SHA256=CD9E5BB23B21BA32697FC93FEA0FF4BF52E6FA4CE88C439EB4AA3FB8517EA176,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000134648Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-SetValue2022-02-25 12:20:30.369{6AAC6DF5-B0B0-6218-0B00-000000003802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000134647Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-SetValue2022-02-25 12:20:30.369{6AAC6DF5-B0B0-6218-0B00-000000003802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00613909) 13241300x8000000000000000134646Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-SetValue2022-02-25 12:20:30.369{6AAC6DF5-B0B0-6218-0B00-000000003802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d82a39-0xb22d9439) 13241300x8000000000000000134645Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-SetValue2022-02-25 12:20:30.369{6AAC6DF5-B0B0-6218-0B00-000000003802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d82a42-0x13f1fc39) 13241300x8000000000000000134644Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-SetValue2022-02-25 12:20:30.369{6AAC6DF5-B0B0-6218-0B00-000000003802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d82a4a-0x75b66439) 13241300x8000000000000000134643Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-SetValue2022-02-25 12:20:30.369{6AAC6DF5-B0B0-6218-0B00-000000003802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000134642Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-SetValue2022-02-25 12:20:30.369{6AAC6DF5-B0B0-6218-0B00-000000003802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00613909) 13241300x8000000000000000134641Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-SetValue2022-02-25 12:20:30.369{6AAC6DF5-B0B0-6218-0B00-000000003802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d82a39-0xb22d9439) 13241300x8000000000000000134640Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-SetValue2022-02-25 12:20:30.369{6AAC6DF5-B0B0-6218-0B00-000000003802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d82a42-0x13f1fc39) 13241300x8000000000000000134639Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-SetValue2022-02-25 12:20:30.369{6AAC6DF5-B0B0-6218-0B00-000000003802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d82a4a-0x75b66439) 23542300x8000000000000000134638Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:30.118{6AAC6DF5-B0B2-6218-2200-000000003802}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4A396A40DE4AD844AFDFD6BFEE34209D,SHA256=ABC582D2644B8C5C1CF17206963A01B55D9A40BBB1979B03D8F2D216AA803ABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134651Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:31.775{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=398873EB43A6A761A1A3411411E0EDD0,SHA256=7A2C33F10B776A15682D227297FFFA7E0E076917F595AFDA6DDE1B73CD969179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:31.322{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B10BFE676493E38F4F4C95CEA227B8BF,SHA256=DF532BF73EF75E02E934A8A073D37F6674C549D3ED715B70F9B7FE578091F841,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:31.322{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=391BCADA9FA2580BE03EF0BF0A51D65D,SHA256=507434BBDFC93F686B865717F70CECF4CD8B337C22FFD8275CD239F3534AE588,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:31.322{414E8EDF-B0AE-6218-0B00-000000003702}632804C:\Windows\system32\lsass.exe{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:31.322{414E8EDF-B0AE-6218-0B00-000000003702}632804C:\Windows\system32\lsass.exe{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:31.166{414E8EDF-B0AE-6218-0B00-000000003702}632804C:\Windows\system32\lsass.exe{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:31.166{414E8EDF-B0AE-6218-0B00-000000003702}632804C:\Windows\system32\lsass.exe{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:31.166{414E8EDF-B0AE-6218-0B00-000000003702}632804C:\Windows\system32\lsass.exe{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000189544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:31.151{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D6FFC6FFC273B2979EE007AF1F4A83C,SHA256=E02BA47C02BB97E528891088117BEDF4170824674283C735F34C51E98CCE44C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:29.970{414E8EDF-B0B0-6218-0D00-000000003702}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:5147:9304:4b1c:595fwin-dc-tcontreras-attack-range-478.attackrange.local52635-truefe80:0:0:0:5147:9304:4b1c:595fwin-dc-tcontreras-attack-range-478.attackrange.local135epmap 354300x8000000000000000189542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:29.970{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5147:9304:4b1c:595fwin-dc-tcontreras-attack-range-478.attackrange.local52635-truefe80:0:0:0:5147:9304:4b1c:595fwin-dc-tcontreras-attack-range-478.attackrange.local135epmap 354300x8000000000000000189541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:29.562{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52634-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000134650Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:29.610{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50936-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000134652Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:32.837{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CB44F1D2588FEE7452B38644429FB6E,SHA256=62BAE4E77A2415050E03D3E2B16BB9B2EC96FCA58845936BD27D15710390A289,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:32.291{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8E884B2B5697F700E947F492FF9F59F,SHA256=4534368A8CA68A92337CA1BF0E3C8545582F60A7BB1EB88B1A284EF340696916,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:31.671{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52637-false10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local389ldap 354300x8000000000000000189560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:31.671{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52637-false10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local389ldap 354300x8000000000000000189559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:30.827{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52636-false10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local389ldap 354300x8000000000000000189558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:30.827{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52636-false10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local389ldap 354300x8000000000000000189557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:29.992{414E8EDF-B0B1-6218-1400-000000003702}972C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:9880:66e5:9be:ffff-58860-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000189556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:29.992{414E8EDF-B0B1-6218-1400-000000003702}972C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:5147:9304:4b1c:595fwin-dc-tcontreras-attack-range-478.attackrange.local58860-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000189555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:29.989{414E8EDF-B0BE-6218-2A00-000000003702}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local51145- 354300x8000000000000000189554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:29.986{414E8EDF-B0BE-6218-2A00-000000003702}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local62773-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000189553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:29.986{414E8EDF-B0BE-6218-2A00-000000003702}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local49183- 354300x8000000000000000189552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:29.986{414E8EDF-B0B1-6218-1400-000000003702}972C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local49183-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local53domain 23542300x8000000000000000134653Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:33.869{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00234CCD0414A9A56EE843D846D07F33,SHA256=1F05F80D4A4B58306493B8B58E8ECF1D72194E1BC01E989B76BA11D09DBE68C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:33.323{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A9F7466B06EF7F2C23FF915A47A2C18,SHA256=AA31F439D1FCA6F9982B9BAB906E8EC42FE3C6BED01DEC8170E3B05789534BD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134655Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:34.869{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C33387FCE713AB0E01AD44F2211F0D40,SHA256=B2D75B5766E052A851F6BD5A446247D36BED160C2F2430A5AFC98863365E9C12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:34.323{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B49B8591318BB642E08243C5B11F6CAA,SHA256=8E2112817A2DE8A30FFC02BB605F1A6F2CF5EE3DC9C3DAFA7A9EF0561F62EB16,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134654Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:32.719{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50937-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134656Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:35.884{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76BC82D89A1F5A849B79EBEC83C7DF66,SHA256=31832280ADB74849194DC8BF24D9738E547F9D1A7789BA2293F71CC3D25E7AB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:35.432{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=347F96B61C257345337DEFDEAE3CF84B,SHA256=A3FEA34C7AFD2588D41BFC0C5AEF53D71679D2F8CE5CB11C209242E0D361D086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134657Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:36.884{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44F688E4B61844D92F6F53668F078C12,SHA256=EE1113D8DB581603AE9C08BA06D5D9A06EF29A54A60274382A81BF8C02167696,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:36.432{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=182F74F0BEEE60D8B23AE47D1B47286C,SHA256=DAB35CA4389433A67113E01DE4E2749896C32E91D1429743A7B049B1D812D1A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:34.593{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52638-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134658Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:37.900{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0CBF190D5A7047F3E547BAF54640BAA,SHA256=738B2340655D75E481812DBB31557B419E2F131BD30FDB05DFE84A238B99CCE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:37.541{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AA1D54B5E8EDFB15BDD811D355C6B88,SHA256=B79B0C5AA6C811F9ACFCFA08AD7C51FC7583E29F2830A040CF1B7D68844A2A74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134659Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:38.947{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4288926F0B33795F60C4142E278B31B,SHA256=6D7CF8B7C67B6D726C9F6140E0D9877BBC71E5ED7398DE321858D5FF7426DB9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:38.573{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C02B8E5BEA2A3D9B36908C34363F0DC6,SHA256=AA2CEA13D56699B84544361DD50F0C8057A3AA86DD0B04A311B2D10B73A77140,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:38.494{414E8EDF-B0BE-6218-2900-000000003702}2792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4A396A40DE4AD844AFDFD6BFEE34209D,SHA256=ABC582D2644B8C5C1CF17206963A01B55D9A40BBB1979B03D8F2D216AA803ABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134660Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:39.978{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5952DA9B835B96E27AF507AA22E61C7,SHA256=57F705B019BBE3B2BCB0B8007261748EA673A36B9F4189A1E842F9BA7E010924,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:39.588{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1794AA2DB9DE87C8942926D43402829C,SHA256=1490783E974EB713C270848D67FFD7243C09AE47D562126639D7120A448C5A7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:40.619{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D81CE8F9D222F429EC5AA23856C30D2E,SHA256=8780ED8EC7BA78C4F7DFB4316563C432AF047CD57EAFA59E43B84266E3513F7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134674Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:38.672{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50938-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000134673Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:40.666{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-C998-6218-7B03-000000003802}1036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134672Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:40.666{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134671Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:40.666{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134670Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:40.666{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134669Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:40.666{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134668Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:40.666{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134667Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:40.666{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134666Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:40.666{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134665Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:40.666{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134664Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:40.666{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134663Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:40.666{6AAC6DF5-B0AF-6218-0500-000000003802}424440C:\Windows\system32\csrss.exe{6AAC6DF5-C998-6218-7B03-000000003802}1036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000134662Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:40.666{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-C998-6218-7B03-000000003802}1036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000134661Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:40.666{6AAC6DF5-C998-6218-7B03-000000003802}1036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000189572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:38.984{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52639-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000189574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:41.698{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A29BEE08C47E5164FB10D6B3D5AD0A38,SHA256=89F4364F30911800773429E445414E7A3C8C66A6E54B1E05B518773D11A8618D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000134704Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.837{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-C999-6218-7D03-000000003802}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134703Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.837{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134702Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.837{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134701Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.837{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134700Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.837{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134699Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.837{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134698Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.837{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134697Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.837{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134696Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.837{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134695Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.837{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134694Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.837{6AAC6DF5-B0AF-6218-0500-000000003802}424540C:\Windows\system32\csrss.exe{6AAC6DF5-C999-6218-7D03-000000003802}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000134693Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.837{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-C999-6218-7D03-000000003802}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000134692Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.838{6AAC6DF5-C999-6218-7D03-000000003802}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000134691Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.681{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C236A4096238542AE4D78FF349A531A,SHA256=907BF32EBF0BEEF38194B30A383EF063B8D15CA485DCCA5B5E1074DBCBA1D39C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134690Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.681{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5BD84E29BDF16B306489AFFB1C1B733,SHA256=0635CEA69AD67B6717CF7D5A12C74C0D46ADA3EE5B8EC085DC981A2A7ABD470F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000134689Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.603{6AAC6DF5-C999-6218-7C03-000000003802}3012596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134688Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.337{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-C999-6218-7C03-000000003802}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134687Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.337{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134686Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.337{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134685Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.337{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134684Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.337{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134683Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.337{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134682Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.337{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134681Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.337{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134680Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.337{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134679Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.337{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134678Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.337{6AAC6DF5-B0AF-6218-0500-000000003802}4241012C:\Windows\system32\csrss.exe{6AAC6DF5-C999-6218-7C03-000000003802}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000134677Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.337{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-C999-6218-7C03-000000003802}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000134676Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.338{6AAC6DF5-C999-6218-7C03-000000003802}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000134675Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.009{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC339E74DF027250D08B3A49914EA4C9,SHA256=98480795D7A9CFBC47387FA192BB81385CBE5B90D10BDCE53A1EF1A779F4DB37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:42.745{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B2B210CB53B3D85096F451089E19BD9,SHA256=FC4EF9CD64665A05F3E2953081F10499BAEE0319F4704219D860F43CFABF3600,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134706Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:42.838{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C236A4096238542AE4D78FF349A531A,SHA256=907BF32EBF0BEEF38194B30A383EF063B8D15CA485DCCA5B5E1074DBCBA1D39C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134705Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:42.134{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=972B08ABDD43FCE250ED40D2C7EF78C1,SHA256=79706510F0E49F929599B9E493E6639F9EB7EBE1EC1636AF09FBBC6A50F554EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:40.546{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52640-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000189577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:43.776{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DB334E6E59EBE0AFDC8A76A65CC49BB,SHA256=F2E8498C48E9C7A3892B7D57FADE68503081FB164AFCB0DB4FAA923BE6B71EA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134707Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:43.150{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDD13A49690478246EDC2EA88FCBED30,SHA256=D1932FBAC8096B436A5C8EDEACCE5AF8CA2DDE2DF8972952CAA1B8F804225310,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:44.823{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D886FB41A049B48030D7218781F85984,SHA256=846E4D6D24D4EDAC52DF89DA9945F0ECD602B242AB334AC35F5C4D0990772BED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000134722Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:44.916{6AAC6DF5-C99C-6218-7E03-000000003802}37041176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134721Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:44.728{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-C99C-6218-7E03-000000003802}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134720Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:44.728{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134719Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:44.728{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134718Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:44.728{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134717Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:44.728{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134716Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:44.728{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134715Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:44.728{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134714Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:44.728{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134713Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:44.728{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134712Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:44.728{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134711Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:44.728{6AAC6DF5-B0AF-6218-0500-000000003802}424540C:\Windows\system32\csrss.exe{6AAC6DF5-C99C-6218-7E03-000000003802}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000134710Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:44.728{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-C99C-6218-7E03-000000003802}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000134709Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:44.729{6AAC6DF5-C99C-6218-7E03-000000003802}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000134708Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:44.150{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3396AF27AB87C9BE23C528E5BBCAA152,SHA256=58B4879BBA15150F830BFD29F7AE93768FF653B9B71834A10A387E3CC5A5011B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:45.838{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A56B3F59E53F4EA5183537821BFBD62,SHA256=63C05A313D36AE61F4B7435449BBA3123E0E440E2357382990387FD4FE3B10F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134738Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:45.744{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A1EC8AEC3FC9CE2D3C20422A00F5479,SHA256=755E69EB94BFC3E9BAE91439D0193A2FACB38395C84CEE0162C81ED154D15C91,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000134737Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:45.666{6AAC6DF5-C99D-6218-7F03-000000003802}6082636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134736Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:45.400{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-C99D-6218-7F03-000000003802}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134735Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:45.400{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134734Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:45.400{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134733Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:45.400{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134732Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:45.400{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134731Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:45.400{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134730Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:45.400{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134729Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:45.400{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134728Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:45.400{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134727Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:45.400{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134726Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:45.400{6AAC6DF5-B0AF-6218-0500-000000003802}4241012C:\Windows\system32\csrss.exe{6AAC6DF5-C99D-6218-7F03-000000003802}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000134725Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:45.400{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-C99D-6218-7F03-000000003802}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000134724Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:45.401{6AAC6DF5-C99D-6218-7F03-000000003802}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000134723Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:45.166{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB68908717772B4D7A52B95FDE8FA484,SHA256=7B1824BD44624F830AC3FAD62B2BA26CF9206C6FA49E83D4C0C18D52C2EEC072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:46.963{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B908D71EEC4DA6B8455220901793D63C,SHA256=33DD59110C66529C87F5603662A88D168738EDAD60FA2080D3D4A1C3FCE99969,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000134753Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:46.884{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-C99E-6218-8003-000000003802}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134752Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:46.884{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134751Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:46.884{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134750Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:46.884{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134749Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:46.884{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134748Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:46.884{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134747Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:46.884{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134746Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:46.884{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134745Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:46.884{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134744Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:46.884{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134743Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:46.884{6AAC6DF5-B0AF-6218-0500-000000003802}424540C:\Windows\system32\csrss.exe{6AAC6DF5-C99E-6218-8003-000000003802}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000134742Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:46.884{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-C99E-6218-8003-000000003802}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000134741Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:46.885{6AAC6DF5-C99E-6218-8003-000000003802}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000134740Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:44.594{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50939-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134739Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:46.197{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30753B3183A9F6F8BA1F88758A75DDB8,SHA256=08C093A07B3FA3297AD5B7519378DFC5C8B0964B494EF9C179BC2DA463594561,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:45.593{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52641-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134756Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:47.900{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56FB3721FC405E41BF4EB075C2DA0A18,SHA256=876510EB297B623E8B407DCFE64478BA371395600F8D013E2DAEBB14440F98BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134755Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:47.228{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=002040D72E1A49C0E4C641493E2A6CA9,SHA256=A3FD105F647A111A687015156D793FFC9470CD0B634BADF098A8720C266BC0FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000134754Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:47.166{6AAC6DF5-C99E-6218-8003-000000003802}35802660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000189582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:48.010{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC2AC56EBF10225271A55B0AF8AE316D,SHA256=33BBCFA135E1E905DCDFA77293F3657806206AA3466EBD7A8682B8793B5D800E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134770Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:48.244{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D995B17F0DFE99AE6FE0C70422211031,SHA256=0175E68FF68A8BA0C0A86A951C69D88BFEFE2C10DE86F398E346E5C1C2EB9D98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000134769Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:48.166{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-C9A0-6218-8103-000000003802}1784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134768Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:48.166{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134767Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:48.166{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134766Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:48.166{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134765Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:48.166{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134764Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:48.166{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134763Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:48.166{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134762Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:48.166{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134761Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:48.166{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134760Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:48.166{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134759Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:48.166{6AAC6DF5-B0AF-6218-0500-000000003802}4241012C:\Windows\system32\csrss.exe{6AAC6DF5-C9A0-6218-8103-000000003802}1784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000134758Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:48.166{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-C9A0-6218-8103-000000003802}1784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000134757Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:48.167{6AAC6DF5-C9A0-6218-8103-000000003802}1784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000189583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:49.151{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83C47A45818A24A90E765730C29B6B3B,SHA256=7B27D1855942FE856D081968F05B32C6DA176BD4E21A0C6E969E4022437CA4A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134772Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:49.244{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13139EBEB26EED15FD83085B0A97423B,SHA256=82AF8D652AB4E3DB00E2619898CE1503ECB388FD2B5B4ADDA40CC1F06E889F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134771Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:49.213{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48FC9D93B2825A51BC4DF90AB7223436,SHA256=F5194E9B237CDC0AF72628F8060B398DFFED5A82C500D3A44A3F6D05A595EC46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:50.338{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-C9A2-6218-CA03-000000003702}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:50.338{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:50.338{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:50.338{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:50.338{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:50.338{414E8EDF-B0AE-6218-0500-000000003702}416532C:\Windows\system32\csrss.exe{414E8EDF-C9A2-6218-CA03-000000003702}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000189586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:50.338{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-C9A2-6218-CA03-000000003702}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000189585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:50.339{414E8EDF-C9A2-6218-CA03-000000003702}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000189584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:50.152{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=910D4D65D480FCD3E5E5C873FE725216,SHA256=3A93E9BC8EE33A9FF4BB60C4A6E7C9E70CB9E5A8363A125F3B5A37EA89143A85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134773Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:50.260{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EAECCD0174FEA2D59F773151AF550BF,SHA256=122C80DB605C5821E3B928FFC08C368B8CA3A3A9D433C241F8EAE9B03114717C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134775Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:49.766{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50940-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134774Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:51.291{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4922F0D331DD9170A1720860BA23F3C6,SHA256=92231DFA5101177791AE2D1617ACD966A7D3DA97A377283590DBFF3CECAC4FA0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:51.854{414E8EDF-C9A3-6218-CC03-000000003702}1012596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000189612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:50.687{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52642-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000189611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:51.620{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-C9A3-6218-CC03-000000003702}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:51.620{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:51.620{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:51.620{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:51.620{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:51.620{414E8EDF-B0AE-6218-0500-000000003702}416432C:\Windows\system32\csrss.exe{414E8EDF-C9A3-6218-CC03-000000003702}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000189605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:51.620{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-C9A3-6218-CC03-000000003702}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000189604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:51.620{414E8EDF-C9A3-6218-CC03-000000003702}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000189603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:51.401{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C8E929EC13BE5E86E68B1AEDB0AAB77,SHA256=801A865E551EBF2C723D0BC03CEE9CCA1213FB30A5C1137219011DF5FD0763A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:51.385{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B10BFE676493E38F4F4C95CEA227B8BF,SHA256=DF532BF73EF75E02E934A8A073D37F6674C549D3ED715B70F9B7FE578091F841,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:51.229{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=197F3E98712A8AC97156D30243C9E7E8,SHA256=488E5D326AC8EA7B4278839738453DE3D65446DACB9588A2C5002BA7238A71ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:51.010{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-C9A3-6218-CB03-000000003702}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:51.010{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:51.010{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:51.010{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:51.010{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:51.010{414E8EDF-B0AE-6218-0500-000000003702}416532C:\Windows\system32\csrss.exe{414E8EDF-C9A3-6218-CB03-000000003702}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000189594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:51.010{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-C9A3-6218-CB03-000000003702}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000189593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:51.011{414E8EDF-C9A3-6218-CB03-000000003702}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000189624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:52.620{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C8E929EC13BE5E86E68B1AEDB0AAB77,SHA256=801A865E551EBF2C723D0BC03CEE9CCA1213FB30A5C1137219011DF5FD0763A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:52.370{414E8EDF-C9A4-6218-CD03-000000003702}39203252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000189622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:52.292{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=573B02DB9ED6649B1C34CE057AFDD4F0,SHA256=E6D2376D354EFBBD691000C41D6093B5F97621A2A425D6ED1FBD98D475F14ADA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134776Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:52.322{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84AECB2B36B9E1B05DF617F54FDB9177,SHA256=8AFA823E2A6CA6A1346C99D2E8DA2677E4325D15E8F4BF0AA9BD078A1706DBCE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:52.120{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-C9A4-6218-CD03-000000003702}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:52.120{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:52.120{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:52.120{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:52.120{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:52.120{414E8EDF-B0AE-6218-0500-000000003702}416372C:\Windows\system32\csrss.exe{414E8EDF-C9A4-6218-CD03-000000003702}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000189615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:52.120{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-C9A4-6218-CD03-000000003702}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000189614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:52.121{414E8EDF-C9A4-6218-CD03-000000003702}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000134777Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:53.369{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DF1DA8F43B9DD7CA5F49A158D9D144D,SHA256=60B8D7E37299054F0509F215136C78F7BEE1BABCF2295FDB9BE51E6F967A2547,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:53.760{414E8EDF-C9A5-6218-CF03-000000003702}38481304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000189644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:52.874{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local52643-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local389ldap 354300x8000000000000000189643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:52.874{414E8EDF-B0BE-6218-2B00-000000003702}2820C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local52643-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local389ldap 10341000x8000000000000000189642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:53.526{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-C9A5-6218-CF03-000000003702}3848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:53.526{414E8EDF-B0AE-6218-0500-000000003702}416532C:\Windows\system32\csrss.exe{414E8EDF-C9A5-6218-CF03-000000003702}3848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000189640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:53.526{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:53.526{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:53.526{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:53.526{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:53.526{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-C9A5-6218-CF03-000000003702}3848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000189635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:53.527{414E8EDF-C9A5-6218-CF03-000000003702}3848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000189634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:53.354{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D9F5F2BB02CF93647D02FF931AA9C55,SHA256=5CE9C9CC1F0D64DB6A94B594095AB937276D400A195C9342CD79DB1ED91D8E7A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:53.260{414E8EDF-C9A5-6218-CE03-000000003702}28042216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:53.026{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-C9A5-6218-CE03-000000003702}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:53.026{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:53.026{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:53.026{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:53.026{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:53.026{414E8EDF-B0AE-6218-0500-000000003702}4165324C:\Windows\system32\csrss.exe{414E8EDF-C9A5-6218-CE03-000000003702}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000189626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:53.026{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-C9A5-6218-CE03-000000003702}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000189625Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:53.027{414E8EDF-C9A5-6218-CE03-000000003702}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000134778Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:54.385{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FF3C7AF22A6FE73DCEE2D7E8A790F3E,SHA256=F47D22AC3D847D8ABE5CC30E62526DD5B40E52D5AF240DA072CFC44AB4C288AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189647Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:54.354{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=382D12B028181406F43EDF30B7E6FD21,SHA256=859C76343326DDA8DF7504CD62D641A5E60FE476ECCDF76BB0E999DB46C2E93F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189646Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:54.042{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=947B04298DB8D824B65129F7E6242AFF,SHA256=B48ED03413F69D39B1D36110886100C0C5081F4A2F006E255EABF405FC8E063B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134779Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:55.400{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53721E9DF9A5A97673C1C946ED3C86D9,SHA256=059C95238E07E24270D6405D715122A1D85F62544ADA8F09C9D555BCFBBA5C17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189648Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:55.417{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88F068E9FE6FB5C8775A42571C2F4CB9,SHA256=3088FCB58E82CE5DB439B92FAE6AC4E9DEF3E61F6561788A95C5FE1F3DBC1AFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189656Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:56.995{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189655Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:56.995{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189654Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:56.995{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189653Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:56.995{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189652Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:56.995{414E8EDF-B0AE-6218-0500-000000003702}416372C:\Windows\system32\csrss.exe{414E8EDF-C9A8-6218-D003-000000003702}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000189651Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:56.995{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-C9A8-6218-D003-000000003702}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000189650Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:56.996{414E8EDF-C9A8-6218-D003-000000003702}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000189649Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:56.432{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBB9DA707F54A26EE30493EAEA5FA67E,SHA256=DD016A8E1598B84B1EA378D25824BB59AFFD9EEABC305DA2B9FC200FD45D34B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134780Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:56.416{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1230DDBC597CA277F0CD1E1D11BF82A,SHA256=5091E65953A23EB7F0128FE3C307ADC4049EB6C61971278FAEB4B4CE2379DEDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189660Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:57.995{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA65D50FD48552C00A85ECC37837D462,SHA256=BDF4910703091433ED98DBED208968E706EB66FC250DE7206FC73F91AF49C57C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189659Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:56.687{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52644-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000189658Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:57.479{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B5105CF0A55AE7CF356A2564BCA2831,SHA256=125BB460EC4D0DF7045990B0808AF749E733483503D3AB9FC6CD690669D39B41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134781Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:57.432{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=668CED4B1E92519E33DD448277936232,SHA256=09DAD0B7351513EE8DAFA82BA9DC715AE7C3B6C9E92FD95EA22B52ED5A887E7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189657Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:56.995{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-C9A8-6218-D003-000000003702}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000189661Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:58.479{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6144A65E020040455E85D5BBE3F6103E,SHA256=3A2C9EEFCE72A68D15E75090F6EF5F82FE0E5F27014BB6043C8299A50216B5F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134783Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:58.447{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37688FD80AFC6490D4541AC082ADA321,SHA256=FE0CB79F8B523D31F234B629FB375402A699F5D00126B7FDE7431AA2CEDAA873,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134782Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:55.765{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50941-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000189662Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:59.495{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69F42897002DE2FD7BD41182CCC2C25B,SHA256=BC6D1B41538C04DAD4146BE5126F85FC00EA082312FAE7702FE74ADD6E2326AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134784Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:59.447{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47648FD2BA28FF616A0421776FD725BA,SHA256=4DF1045545F5748CF706042DDB0460FA5F7C6EC14D5E5B6F562B4A2F1737B3EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189663Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:00.526{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CABF833E7E9FB7A8F1C1A65CD4C5FCB,SHA256=D39ED200A8628B90C1E2743DD95B6E8615B714EAF904D23A65301190E0ADDFA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134785Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:00.463{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1205E608EBD19839B668DFF573DF6DB0,SHA256=4214A40725702BF6EEED21F035CE0764CF1083B183D81BC70E079225532681AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189664Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:01.526{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17675F19FFD9376BA2B514B0395069BD,SHA256=8DDEB6C29FFE8C02A0B9C6ADCD7E2A193C2D2655B8BFEF687AD9FD7F375D7F32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134786Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:01.463{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B30CD0CF2D6E2D6DB831F00E325E5013,SHA256=B038A049685CB74ED8F6FDE96E981B6FFA0BD6637D7094FEFBD1357B438778E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189665Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:02.542{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=149814D6916E99E6DCC5C73FF4091A19,SHA256=B1B008C24E2C87A38208A14B72CF465A2C152DF0DF881C667E22B9295067FEA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134787Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:02.463{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=546393DFD0ABB8720B759CF01495F378,SHA256=30B9B075BBF42C956896D9C5B78FD0F9C9ABE008E40ABB2050388B3EE2A1E92F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189667Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:02.624{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52645-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000189666Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:03.542{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6EAA8DF656901E2752889E8AFEA51AE,SHA256=028C03E58224C5E0C16A25EB4F03C8984DCABEFBBE2886FCDF3B939A64416DFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134788Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:03.463{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2EC698C699263034DD99C5A5B9D3AC5,SHA256=46FDF649F21882A297706700EC8185AFAD27F3843AAFFAA116025A43264AD298,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189668Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:04.557{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EC287D78E46F6E6844395538B8C8621,SHA256=1B5459C414292ED95921A17337C33A0CD17A976B2D2D333812FBC536CAE75AFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134790Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:01.687{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50942-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134789Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:04.479{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A40B4DEC102BC2DAF3BEEE27CD7EA735,SHA256=AB13DE87242DE2C0E30B48F6DF396E691CF0813B1FA4C0A5F9C75D3125DFE72A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189669Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:05.573{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D55D56BAF9B654E5D672E75DA0E9B7D,SHA256=3AA6F131AB0F93E634591E915B2F31C0615ACAB503C1DC80025CB8B322729104,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134791Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:05.494{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC4B2C224F2843A6E33109BB5CBE8777,SHA256=53A5191DC343874066C79D3A9AF533ED467A66851C837BB05B0034420BC89693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189670Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:06.573{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC81C778F88A803092F55A98AAA9965C,SHA256=AEC47A704C7CB6BDBF340F44D2D8E9D630C43918F4C33BB5E1F385508092C442,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134792Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:06.510{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5BFC7732DD4C4F03F8866007E8D4B6C,SHA256=9907EC33BA52FE5E697C3CF31FE7555691AB1944A3CDEC2163BCA7C19D8DD7B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189671Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:07.589{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFBC7598513F18223C94577CF29F03A1,SHA256=85ECAF1BAAC50C4EB7A87A936B22255D4A630CD87C6AA8D6E850FEECB5DCD7B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134794Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:07.576{6AAC6DF5-B0B2-6218-1D00-000000003802}1952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d7ccee276d30a4b6\channels\health\respondent-20220225103429-103MD5=FBD42F5F8AA0DC0DD6067820063FF10B,SHA256=AAA41009555F09EFB0ED817562D7125DD50A33AE671816E82835424EE5CAE232,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134793Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:07.511{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C950BEE700EFCFFD49ABC35867557322,SHA256=B066483ABBB2EB0C94FF940AAE1A3A8A386A791A75526DFC6A8802D9DCECE9A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189672Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:08.604{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C1231C3959F91F99897BBCDE3FDB3DE,SHA256=05A385B67FF3A133FAA10BC5DE917A4509DF74983E55DCF4829536560EE3F72F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134796Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:08.576{6AAC6DF5-B0B2-6218-1D00-000000003802}1952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d7ccee276d30a4b6\channels\health\surveyor-20220225103427-104MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134795Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:08.512{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=712B91E3558292E7F2973F2EDE1AB459,SHA256=682CC1D3466A56A1F1F9F972FA0689C18F364D788A531F3DBC932D4F78177A01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189674Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:09.620{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBDA8C07C7867FD4AD41E49694E8A82B,SHA256=C2220F81AC26C3BFD5C040C4D4E0744176DAA206C0AAA87421F88D762AB808B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134798Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:07.660{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50943-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134797Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:09.517{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B23C0DB60E8784CE8225C577D48B98A7,SHA256=739163B845F30473F1D793CEA531FC2BCB41B8753529ABCD34780993C9FB6206,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189673Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:07.718{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52646-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000189675Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:10.620{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7682FF0733A1AE84A382204111E8AF0,SHA256=C18D7FC039AF67E55F1009D6F0C3631A2628F6AB01F4D9B38E5191FF7BFF6A17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134799Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:10.532{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=557E4895D929659C9EB972BE597C3541,SHA256=2A5DF8BD9C9DE43F5A967C32264B1DF63ACF7C6F1975FE723660B273CB59334D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189676Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:11.636{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=558979773CAB1DF3283B02F7DFDA1F75,SHA256=CA1D3096097098CAC75D6EE67D1970F76D6DDEF56FDCCF150E7B3FFA822AD003,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134800Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:11.548{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD4588B15913FB7AB90D1A76578CD720,SHA256=3F479C01984614DE212B76658D6461FD44633315A6E8CC065204F5CA62D69803,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189677Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:12.636{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E599AA058E1D649B633EC2C0106CE25,SHA256=EAACBFB0DB73A7A600A193E1EE5147D84017F3CE817E699DA4BFB7DEAD9B9ABF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134801Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:12.564{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFB22F2630B2785D8419057B73B9E704,SHA256=D7C8F384F054DCAC60EA7C64419C4306240F7DCBD78A0B9DB0576FE6D4024E95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189678Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:13.651{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCC92F2E10FC4C5E2D18F53A3EB2E492,SHA256=935A9DF765C795A787B8F38D97EB7C126DA9AADA1799A11BF091A060B6DE46BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134802Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:13.579{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A08122DBDAEA0E28A1B3183EA2CCA40,SHA256=87A7EDC304BF2653B82C4E814D5C9B7D13C89D416705CC00B3757E927227E192,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189679Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:14.667{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=640F6E08FF14390D83A0317EB87FC003,SHA256=CBED823C836175247E592027CF209C3EDE5626F572F9D6F2C98F59A186A4AF58,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134804Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:12.694{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50944-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134803Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:14.595{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF90EE590A05C1A261736DD687EA5039,SHA256=D41CD6D7ABAEDC31E1AD08BAA7053F0A10B49CEFA46B6988F685CEBC4BDD34C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189681Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:15.667{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E4DD0DCA3FEFB7579E1D9DB78E37766,SHA256=BCD522712327320FC0E412C610565C020306E2446FA48A3AF3EAA1523EF0F2CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134805Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:15.611{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A020F59BBFA38EA983A8C3FB333CB7D9,SHA256=648D637C0F87AE41177869A33EE88BDBA296BA5C1151FD64669C2B34C47AE77C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189680Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:13.703{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52647-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000189682Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:16.683{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E4CC388F455CC34A011C30AD99D469A,SHA256=6491E2B79DD08FB7B55EA1DBB8DBAE8B82D27C33A6456E44DDCDDC695CBA1C30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134806Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:16.611{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BE780DB1D1672C337ACADE4039C185D,SHA256=F8B68C8F126DC764C135C712FE017B1998DFE1B5B5F77266802A53460A4F717F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189683Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:17.683{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC3AE99C30F91B692B7F09968EAD6736,SHA256=E95FEF254C563B27AD3CF579517A88FCD8D4539715437E3F10819DBB6282BAD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134807Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:17.626{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C22E3FB519EB6D0CA1998D1542C805BC,SHA256=92353394C0577360F43EBE779A7888ED02D5E8E9C9B51442727507249CF00371,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189685Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:18.685{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59847E4DD2269911ED1D32AA37921061,SHA256=BD86FEBC2051BF517E28877B8F649C5B86C3527F063FE97C4A25179C83A5306F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134808Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:18.642{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ABB4F516BE4EF63DB18F49A45D59C6D,SHA256=9887C9E4746BA3B00A9D5785FC89A50BA99A2E5D9DDEB67295FD429ABBA8800F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189684Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:18.359{414E8EDF-B0BE-6218-2400-000000003702}2716NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0cad71091a725587e\channels\health\respondent-20220225103441-103MD5=E961008872A85D9E7B2EDCDB9076BE5A,SHA256=4C7B4263F3F8553ACCFCCC53A0FA56737D447810FFCB4A43A3BA8D688A9FDFED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189687Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:19.699{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=096EB4C7486340AF231A9121831B4884,SHA256=3AE0AD74A25B81D345482A76BC0D1433608F0A85BB093A1B596A5186FF01807E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134809Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:19.658{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DA049B587F86071A0B865AB37B1053F,SHA256=D02B2CCF4F7D0060B5704F368D0DA847163C0A79C9849C0B9B9816E83144A89C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189686Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:19.358{414E8EDF-B0BE-6218-2400-000000003702}2716NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0cad71091a725587e\channels\health\surveyor-20220225103439-104MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189689Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:20.702{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2000EF2734C37CDB7D5A0E66693881A8,SHA256=979D86696640914B26228F8C09F5DB0920875974048B6A9B4797CB00493D17E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134811Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:18.710{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50945-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134810Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:20.673{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93F731F3E5900429BD85673D33259B08,SHA256=7245D13470D573701BE90103DF7BADBCF01218E51511B9F70ECE35CB30760311,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189688Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:19.674{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52648-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000189690Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:21.717{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1174FD3AAB06C466BB4C4FF5C86999C,SHA256=40ACDB2AEA03C92A03E76EFB1114458930E7EEF276BC5BAE376EB870092271B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134812Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:21.705{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C068824FF01E6F89284FAC8C62BCD9D0,SHA256=3A24783B2F8A31C5FA18CB48F7C646F3CBD1A373E757788E4309446A433D7C5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189691Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:22.764{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E20CDADF387975A3E124E5D3D3955D29,SHA256=503BCD26B08D5FFBCDB8E528635035A3378BD914E6F12679C627EDADD2B4376C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134813Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:22.705{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=418F9415EBEA9FC06C731335B0B8A339,SHA256=2EBE3875FCC7930CE440A1C142A5E30F8DB27A7917FBDC7A35171868A8A55E5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189692Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:23.780{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=897806AEEC4F87B71A4CE7E9C58DE34B,SHA256=E84754F5E95E9F04BC68FE857068CB711AE373A57BA4D6EEB0113CDAF9C716E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134814Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:23.720{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F577E237AC86D9AC1B6A34E1D093CB04,SHA256=78792F78CA9FDC5A462AB816B95214895D5EFDEAB1F79BF04BB6064129FCAB24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134815Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:24.736{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F243A9CF762FAF85533CD13F04F53E18,SHA256=6A5403BDC09ABDB1EE1DF9E8722D06437EF8EA30DCD027FA40A217E12CFFD61E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134816Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:25.751{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F49E745F8C55A07C51F559849891C533,SHA256=E09600C850EB6C7A90F949BFE9FE0E0FC36478F38A47CF2C168AAA28E86931D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189694Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:25.499{414E8EDF-B0B1-6218-1100-000000003702}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D6BC9AF7322AAD14163C29F39ACA6651,SHA256=82D5185A57E4A61D22E22F09E9D93A20D43C3BBF5C01D0B79A53203AB8314E82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189693Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:25.014{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=726D59218F8C33827FD03B1EB65F46E8,SHA256=056CED2DBDEE536E809A53442FDF25138CA271BF65086611396647C9A992323C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134819Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:26.798{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8C93AAC288DB780845F547B7E0A14E1,SHA256=860166FF0D6420EE6061ABD8554E4764676F78E51B5727547B7FFDD6617D2ADF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134818Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:26.798{6AAC6DF5-B0B1-6218-1300-000000003802}108NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6B0044CB896288440B7F873E7CC89375,SHA256=BDCCB85B0B7E36E2979147D678A3CDCF46A3DEBBE775A68FE165A19073D9D55B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189696Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:25.612{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52649-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000189695Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:26.030{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA0FDBF96CC20054A2F237526E19FE43,SHA256=71E0B36245D90BDBA156B67490897B8959D3557F4212102245D44397FA0295E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134817Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:23.741{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50946-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134820Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:27.799{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=428F7714D795A20BDA5D5952C52A31A9,SHA256=224A065FFD492060715F7418A4FFA6A07E283411D2C5556EAFE29C8A43C3F81E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189697Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:27.218{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D21CFA00EF08C2A86CD6AAC1B5AB2609,SHA256=9AF4F23303FA24DFF2658CAEB61D3A55C742E1414D70FF66818927CFEA41AD45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134821Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:28.845{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CD98064370059DA520D2B1C0533AAE8,SHA256=C1CF1F05F00A1AC3AFE9816DD7153715933AEB70BB6EE8A1BFB965CC53037D5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189698Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:28.343{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EC0685E7985CB75C193767EB1A31BEB,SHA256=6F1ABE6469A005491FF98B2D120C8241E1B1E2240F6D39DF59BDC45E6F2BA507,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000134825Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:29.939{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B1-6218-1500-000000003802}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134824Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:29.939{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B1-6218-1500-000000003802}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134823Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:29.939{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B1-6218-1500-000000003802}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000134822Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:29.861{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38ACBC2A0C930A30342BCCA885E7A426,SHA256=132BD4D0AC0F3B19AFC5F911B476ED7D85B9E9BCC7EAD6C32C021D8472666A9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189699Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:29.343{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=816AEF6F9970FCA9A3E778E98F242298,SHA256=5E459977F4236485557E2B68C36A7540B06F82481298322F790138CC59513665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134827Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:30.908{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A451FC711071CF86812F3113C4C41917,SHA256=279BF5BFA04CA10B4AA3AA2C93315142EA5B108FB459A44C3AC19BA3F5D0AF62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189700Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:30.374{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=146AF775F3E2CCD8F251E0F184355A79,SHA256=765F5F4D6805654A5CA872085B9B5F29E47A9112BF95F3D9ED47C56595748142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134826Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:30.142{6AAC6DF5-B0B2-6218-2200-000000003802}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4A396A40DE4AD844AFDFD6BFEE34209D,SHA256=ABC582D2644B8C5C1CF17206963A01B55D9A40BBB1979B03D8F2D216AA803ABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134830Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:31.955{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9798BFA983E3D34EF3EB59DBC39B47FB,SHA256=6C13225A11A8DB7FA529A9D10297F846EBF0A60A31BF34D6F84D190C6818F476,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189703Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:30.612{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52650-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000189702Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:31.452{414E8EDF-B0B0-6218-0D00-000000003702}9005868C:\Windows\system32\svchost.exe{414E8EDF-B0DA-6218-7D00-000000003702}4500C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000189701Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:31.390{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=711972DD47F221A6C0CFA054DFD99B85,SHA256=C17C8EBA664EA63109E5000AD5DC24D3F7481C27E984F13FCF5F31E3D4AF987F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134829Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:29.632{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50948-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000134828Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:29.569{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50947-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134831Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:32.986{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB676581CA75E7F002BFBDB66E7E39BF,SHA256=FC31CFA9D2AF89E0EA8FDCC78B5C503343D382A1EA74FBDB480566620EF576B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189704Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:32.515{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F955265E82BDBBB46E9502DB8D16023,SHA256=2D38E83CED6A55FD320FBA05CC588C96EE40BD6BC34D3439A418B74A689EBC19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189705Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:33.546{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0433023BAB2A8531E9ABC21A32B31CB9,SHA256=63EB8AD5B9760D92942DB136619A6DA678BC122517ACF1CB4EF463BA775E2865,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189706Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:34.608{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C34EF0820D48C7B1F65BD7452157E79C,SHA256=3C70D0E8079D9F1C5C9F216C5808320F445B6795988792845C912C0594B209E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134832Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:34.017{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6F15D89CCBBE761E769D24B45EC285C,SHA256=19B5B6E048FDD78F56876A79C022D1127C6E152BC79C1EDE186BE334A3088D46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189707Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:35.608{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99737C4030F5620CFD97C4C18D501B61,SHA256=D0582DE02CAEB157801BCE4B3402FDFB6F8C383C5F5FFFF4CBDBB966E137F585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134833Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:35.033{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=799BD91ED4482D4F68A608AA54996D54,SHA256=C1012935814FF0771D02C028BD93FDDCE09B5260E23DDABE8457E64CA9EB9324,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189708Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:36.843{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9F0C1220BEA12632B0A9691559BA563,SHA256=C8CEA24AA5380A60870BBA9B960FDDF00BE8CDBC34440CDDC6B816FB76DE1D6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134834Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:36.049{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FDC2C1D50CDD2CABA6ED863D1F8D685,SHA256=CCC01A7F0A4E41673CF27ECEEDDD5ADF70965114353442ABEC8B24DBE6FAC1EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189710Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:37.874{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5A1BBB2AF5EC05D276E8125F409A5DE,SHA256=737AF0479E344E129F98DCC3FCC16C6B75D9BFDE987AF69E9C3A30265B3DA1CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134836Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:35.553{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50949-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134835Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:37.049{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B58E7B659706F0BCBD4FC7CD8EB5483,SHA256=A6F9B01B0205D7E163E007989D346E4C89C5CC38DE8AACE6155E0A0CCB5219C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189709Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:35.676{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52651-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000189712Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:38.890{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0E31C91A63E95012B8956E50EE7F051,SHA256=C5270ECFE5E8BA1FCF4D4F68D2075D12F1FE105F027418FD7F6C93515F74B948,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134837Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:38.064{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F7DA59AC3A6DFC997E97D34ABF5ED49,SHA256=403E9E401CDE7E499203F9778FC31B79647957E4A573209B4372202298E271F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189711Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:38.515{414E8EDF-B0BE-6218-2900-000000003702}2792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4A396A40DE4AD844AFDFD6BFEE34209D,SHA256=ABC582D2644B8C5C1CF17206963A01B55D9A40BBB1979B03D8F2D216AA803ABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189714Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:39.905{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B74D6EAEACC9F03169D5944A06386DE7,SHA256=D08C36C27B5A964F0E3424AE6FEA7ABC2FA348B387C856F4AF1BF7B130486F6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134838Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:39.080{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B3D0EE7AEA1932D80D254A1D0893177,SHA256=90E4918365620F158CBB24254067B42D6568A7E41111171A16B3374F8A93E556,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189713Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:39.003{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52652-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000189715Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:40.905{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07F6726E62238F81F7458AA592AE8A66,SHA256=205D16FBE6CB9C9C4C13AD22A0F0CBAD0CB7A36BE8033F7A320DE16F9AE56BF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000134852Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:40.689{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-C9D4-6218-8203-000000003802}3268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134851Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:40.689{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134850Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:40.689{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134849Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:40.689{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134848Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:40.689{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134847Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:40.689{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134846Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:40.689{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134845Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:40.689{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134844Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:40.689{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134843Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:40.689{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134842Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:40.689{6AAC6DF5-B0AF-6218-0500-000000003802}424440C:\Windows\system32\csrss.exe{6AAC6DF5-C9D4-6218-8203-000000003802}3268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000134841Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:40.689{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-C9D4-6218-8203-000000003802}3268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000134840Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:40.690{6AAC6DF5-C9D4-6218-8203-000000003802}3268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000134839Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:40.095{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=266F8D44F82FB3CA1FF54C09CD0A730E,SHA256=03A929B29B3531A4A2862C4DF2B3E9FBB96FE02EFC38A3AC8F192F895FA616C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189716Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:41.921{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18311D9C403280C2227100FD79F253D1,SHA256=2555764BAC040C03C8AA3EA32EE4198DDA4198BDA4AA826316FD17C30DCFF50E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000134882Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:41.924{6AAC6DF5-C9D5-6218-8403-000000003802}39843168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134881Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:41.767{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-C9D5-6218-8403-000000003802}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134880Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:41.767{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134879Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:41.767{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134878Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:41.767{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134877Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:41.767{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134876Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:41.767{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134875Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:41.767{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134874Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:41.767{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134873Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:41.767{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134872Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:41.767{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134871Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:41.767{6AAC6DF5-B0AF-6218-0500-000000003802}4241012C:\Windows\system32\csrss.exe{6AAC6DF5-C9D5-6218-8403-000000003802}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000134870Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:41.767{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-C9D5-6218-8403-000000003802}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000134869Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:41.768{6AAC6DF5-C9D5-6218-8403-000000003802}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000134868Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:41.736{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DF7E3597C9FA436D6EB8FD4A06334B9,SHA256=DAEB4288C3DB41F5E58EA07A8830120DE8F98897735A5F4606BECD0C5407A062,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134867Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:41.736{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36EBC20D07EA1A8A2FA2FA05C138005B,SHA256=53BC0FFD91DF0A75156EFA5841FCFEE1F3AEF41F2CC891885FF7C88F87A975C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000134866Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:41.205{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-C9D5-6218-8303-000000003802}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134865Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:41.205{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134864Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:41.205{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134863Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:41.205{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134862Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:41.205{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134861Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:41.205{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134860Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:41.205{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134859Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:41.205{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134858Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:41.205{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134857Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:41.205{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134856Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:41.205{6AAC6DF5-B0AF-6218-0500-000000003802}424440C:\Windows\system32\csrss.exe{6AAC6DF5-C9D5-6218-8303-000000003802}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000134855Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:41.205{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-C9D5-6218-8303-000000003802}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000134854Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:41.206{6AAC6DF5-C9D5-6218-8303-000000003802}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000134853Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:41.142{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C90629C6E658BA7B69E282FD3C0AB871,SHA256=15F502CB8F8287293AC240627BA19C9F85A9BBCC146E446A35BCF2440ABCB218,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189721Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:42.936{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73B57B967D598AA2AE338BA46F8D2900,SHA256=E94B10A7080D73B613BEDED8D2298026E1028EB075D6E2B95CB84972541EA1F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134884Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:42.814{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DF7E3597C9FA436D6EB8FD4A06334B9,SHA256=DAEB4288C3DB41F5E58EA07A8830120DE8F98897735A5F4606BECD0C5407A062,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134883Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:42.408{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=020BC7E27E3D01C937289AB0A3A6C271,SHA256=43006A66718B6686E6A10B804B1D31B9BF92B16E0DE71166B71EFF996454DD6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189720Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:41.628{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52653-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000189719Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:42.249{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0B1-6218-1500-000000003702}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189718Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:42.249{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0B1-6218-1500-000000003702}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189717Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:42.249{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0B1-6218-1500-000000003702}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000189722Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:43.952{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=757722808C0E4D4F4DCECB22E54F581C,SHA256=3C0EC28AE70D47D394768288B7B8AC748572C7079458F2E96BC1AC45577E39AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134886Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:41.554{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50950-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134885Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:43.439{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6DE6EB283056B74720B35CF4FD3091C,SHA256=6BD38720D021EEC1A34FD9D00814A6E6860036364A92AF6A72589FC6E945361F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189723Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:44.968{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5E05E88BD744D4B36C35C577B2F71DE,SHA256=B66BC5D1BF58593BDE38EF9DBD3231481F97D2DDB9B4914ECBF280117D473664,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000134900Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:44.736{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-C9D8-6218-8503-000000003802}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134899Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:44.736{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134898Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:44.736{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134897Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:44.736{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134896Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:44.736{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134895Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:44.736{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134894Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:44.736{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134893Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:44.736{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134892Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:44.736{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134891Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:44.736{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134890Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:44.736{6AAC6DF5-B0AF-6218-0500-000000003802}4241012C:\Windows\system32\csrss.exe{6AAC6DF5-C9D8-6218-8503-000000003802}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000134889Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:44.736{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-C9D8-6218-8503-000000003802}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000134888Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:44.737{6AAC6DF5-C9D8-6218-8503-000000003802}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000134887Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:44.471{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7A25C912DAB5FD0ADD7AF947CB8100C,SHA256=E6F2BD26BC5694C5B0C53F7945884C45FAC4D1EAEF2CD0EAA61128D5E63CF042,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189724Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:45.983{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC919A425EE461B9872CF244C6D915E0,SHA256=0114422021BFDC0D544054C0C716FA17CFA55498381D8678B3E18D1E307E310B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134917Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:45.939{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D75C3FE7A2DE3D46DFF5FEC1A03F739,SHA256=10C13A4647B222566EE5EE071D58170F6730C94B03CA6A38953C0B27178FD7D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134916Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:45.939{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D615A37E278743A9F509F2AF37F68704,SHA256=3FE2E14F48FA0F5E84AC7913418C2031AB2CBB3423081ECFE2C486C59CE0F286,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000134915Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:45.424{6AAC6DF5-C9D9-6218-8603-000000003802}29641092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134914Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:45.236{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-C9D9-6218-8603-000000003802}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134913Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:45.236{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134912Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:45.236{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134911Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:45.236{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134910Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:45.236{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134909Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:45.236{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134908Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:45.236{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134907Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:45.236{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134906Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:45.236{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134905Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:45.236{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134904Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:45.236{6AAC6DF5-B0AF-6218-0500-000000003802}424540C:\Windows\system32\csrss.exe{6AAC6DF5-C9D9-6218-8603-000000003802}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000134903Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:45.236{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-C9D9-6218-8603-000000003802}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000134902Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:45.237{6AAC6DF5-C9D9-6218-8603-000000003802}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000134901Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:45.017{6AAC6DF5-C9D8-6218-8503-000000003802}30682512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000189725Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:46.983{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A198C6E80DB3E81282F54F2E7B5A092D,SHA256=C0C82BA3C66823728DA702998A81D876E31C16C96FD6E714A747FE2C0868665D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134931Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:46.971{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E937FD0F9D4EFC7900D41072A008F449,SHA256=5064CECC3F0378629A90034C445C49430692B1AC301E962295F61D3FACD5DFBB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000134930Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:46.893{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-C9DA-6218-8703-000000003802}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134929Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:46.893{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134928Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:46.893{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134927Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:46.893{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134926Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:46.893{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134925Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:46.893{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134924Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:46.893{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134923Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:46.893{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134922Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:46.893{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134921Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:46.893{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134920Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:46.893{6AAC6DF5-B0AF-6218-0500-000000003802}424440C:\Windows\system32\csrss.exe{6AAC6DF5-C9DA-6218-8703-000000003802}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000134919Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:46.893{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-C9DA-6218-8703-000000003802}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000134918Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:46.893{6AAC6DF5-C9DA-6218-8703-000000003802}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000134934Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:47.986{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4216FA5590353F81A9C6059EE2D1CBD,SHA256=E8550AD32A5A4539E7F07B3C9869696D858F20678C63475B0CCAE45121D2ED4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189726Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:46.628{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52654-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134933Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:47.939{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00986B7CEF982EA3CC330A8AF8B018F8,SHA256=A01F6B89039C4C370B2A140BDEC993DF15E5B8D4AEC34B4185AB986403D66BC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000134932Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:47.080{6AAC6DF5-C9DA-6218-8703-000000003802}9962648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000134948Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:48.986{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D80D2E7EC1A140D10442DEEACEB51E74,SHA256=20F3809B494F7B69AC12C3682773C4999489899890E11652966F5EB96D4C052A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189727Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:47.999{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72A74A5B7733629C1633BA442DE4E83C,SHA256=7BDCF4CD725E4FBD473FFCCE3F9AEFC057371DD59414E395C760308D5A4A3948,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000134947Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:48.174{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-C9DC-6218-8803-000000003802}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134946Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:48.174{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134945Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:48.174{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134944Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:48.174{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134943Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:48.174{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134942Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:48.174{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134941Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:48.174{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134940Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:48.174{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134939Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:48.174{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134938Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:48.174{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134937Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:48.174{6AAC6DF5-B0AF-6218-0500-000000003802}424540C:\Windows\system32\csrss.exe{6AAC6DF5-C9DC-6218-8803-000000003802}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000134936Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:48.174{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-C9DC-6218-8803-000000003802}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000134935Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:48.175{6AAC6DF5-C9DC-6218-8803-000000003802}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000189728Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:48.999{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88F2AA335D347C7AC551D28BD6B06AEF,SHA256=76AF403B07238E8B12A317F1749FB614480221FE3F784D9EF2E9C5E2F1654D89,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134950Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:47.538{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50951-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134949Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:49.408{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87172D815FBDD887F64310F76E12C568,SHA256=1BBB2E118F01378487EECF380555DBE494E4F88196FBA194D1F28A127EDFAE7A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189745Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:50.983{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-C9DE-6218-D203-000000003702}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189744Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:50.983{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189743Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:50.983{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189742Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:50.983{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189741Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:50.983{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189740Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:50.983{414E8EDF-B0AE-6218-0500-000000003702}416372C:\Windows\system32\csrss.exe{414E8EDF-C9DE-6218-D203-000000003702}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000189739Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:50.983{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-C9DE-6218-D203-000000003702}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000189738Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:50.984{414E8EDF-C9DE-6218-D203-000000003702}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000189737Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:50.358{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-C9DE-6218-D103-000000003702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189736Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:50.358{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189735Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:50.358{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189734Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:50.358{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189733Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:50.358{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189732Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:50.358{414E8EDF-B0AE-6218-0500-000000003702}4165324C:\Windows\system32\csrss.exe{414E8EDF-C9DE-6218-D103-000000003702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000189731Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:50.358{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-C9DE-6218-D103-000000003702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000189730Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:50.359{414E8EDF-C9DE-6218-D103-000000003702}5776C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000189729Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:50.015{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBF1D152B7CA8BDE321A0EC2E4D21A80,SHA256=4AEC6FE1641A0FADA4EBF198814C916563FAE1BDF554D0A0EE0D24666D7A7800,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134951Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:50.002{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F7B6B64E2469760E01B6DC80DBD953D,SHA256=1C7E86828D7E29EDAD8CDE254016D1708AF20441FBE8B630A8CDAA6F5F7EE6E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.921{414E8EDF-C9DF-6218-D303-000000003702}56363772C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.655{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-C9DF-6218-D303-000000003702}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.655{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.655{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.655{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.655{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.655{414E8EDF-B0AE-6218-0500-000000003702}4165324C:\Windows\system32\csrss.exe{414E8EDF-C9DF-6218-D303-000000003702}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000189784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.655{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-C9DF-6218-D303-000000003702}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000189783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.656{414E8EDF-C9DF-6218-D303-000000003702}5636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000189782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.452{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.452{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.452{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.452{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.452{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.452{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.452{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.452{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.452{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.452{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8A00-000000003702}4764C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.452{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8A00-000000003702}4764C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.452{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8A00-000000003702}4764C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.452{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2700-000000003702}2764C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.452{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2700-000000003702}2764C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.452{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.452{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.452{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.452{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.452{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.452{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.452{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.452{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.452{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.452{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.452{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.452{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189756Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.452{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189755Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.452{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189754Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.452{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189753Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.452{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189752Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.452{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189751Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.452{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189750Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.452{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189749Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.452{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000189748Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.374{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57A6CC10263E7DF8724BA830C5448AA8,SHA256=1377F6482BB672ECB956E934F30CE1C4B686CF51C3EA4BBB1DFE066AC36DD8A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189747Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.374{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10F351058596A850F97F25DC6E643EDD,SHA256=DED31C1E3F1648452E8B8DC39F80CE4EEC5F15A47ED6B2F62C53F8EA89B8EBEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189746Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:51.030{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6B26E950EE1CB75F87503ED8FA14D7C,SHA256=5192E50C7E70FE0A6B1BD7B71C1C2952DFB396716333921E6E541277B34D3011,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134952Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:51.002{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D59933BA1CB473D9F3FD2A5780826BE,SHA256=2DA752B962CBAD2BF07DFB81C764A8DF81F7FA180AD37CC533629C13DB2D30ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:52.765{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57A6CC10263E7DF8724BA830C5448AA8,SHA256=1377F6482BB672ECB956E934F30CE1C4B686CF51C3EA4BBB1DFE066AC36DD8A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189801Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:52.655{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA800DE9D9C1924691D495F500AB04E5,SHA256=8A021FA0C905C6009ECB22E92A6380A0E343370DC4E6476C646A457949AC0ABF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:52.468{414E8EDF-C9E0-6218-D403-000000003702}15404328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:52.155{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-C9E0-6218-D403-000000003702}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:52.155{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:52.155{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:52.155{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:52.155{414E8EDF-B0AE-6218-0500-000000003702}416372C:\Windows\system32\csrss.exe{414E8EDF-C9E0-6218-D403-000000003702}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000189794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:52.155{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:52.155{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-C9E0-6218-D403-000000003702}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000189792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:52.156{414E8EDF-C9E0-6218-D403-000000003702}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000134953Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:52.018{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC2BC1B157589A2D2D4F4D14BBD7C4D7,SHA256=A80BCB66F3938C2505F3098B6155EF6A330611687B18BC86D930438EB25EEC58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189821Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:53.890{414E8EDF-C9E1-6218-D603-000000003702}5404644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189820Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:53.718{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-C9E1-6218-D603-000000003702}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189819Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:53.718{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189818Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:53.718{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189817Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:53.718{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189816Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:53.718{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189815Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:53.718{414E8EDF-B0AE-6218-0500-000000003702}416432C:\Windows\system32\csrss.exe{414E8EDF-C9E1-6218-D603-000000003702}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000189814Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:53.718{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-C9E1-6218-D603-000000003702}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000189813Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:53.718{414E8EDF-C9E1-6218-D603-000000003702}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000189812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:53.218{414E8EDF-C9E1-6218-D503-000000003702}56844064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000189811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:53.155{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B85DFF2E249FBDC034E4A7B4F93E8385,SHA256=0E363164AD800FCB986E44B966D21B5CA7933B0763FA0A65BBB828A31093069B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134954Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:53.033{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98BF059992892C4B833BF317CBC22311,SHA256=660D88B91D47F2F91A1BF7591E18F80E2165A68E93951F5933FA2DF0DC9131A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:53.046{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-C9E1-6218-D503-000000003702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:53.046{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:53.046{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:53.046{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:53.046{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:53.046{414E8EDF-B0AE-6218-0500-000000003702}4165324C:\Windows\system32\csrss.exe{414E8EDF-C9E1-6218-D503-000000003702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000189804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:53.046{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-C9E1-6218-D503-000000003702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000189803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:53.047{414E8EDF-C9E1-6218-D503-000000003702}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000189826Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:54.187{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEABEB8C7BABB740EB32E28D063EAC54,SHA256=92D4227071C0972B85C73AFF7C6B87182A4FABC1D6AB98D4EB620C6E7B1A86CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134955Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:54.049{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C1221870ECC6CF8B6A1F3B02B83B0D3,SHA256=A1C3A0CB6EE85FA4C6EF815E5C48073110345B6222C0C1A633712219A148D32C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189825Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:54.077{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72327F36AE7408ED75E95E8D59726118,SHA256=9D31A54AC13E7D6E08BA40126F9C5238B6F1C5AC7694DE29B5A2B7F168B9A2BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189824Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:52.878{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local52656-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local389ldap 354300x8000000000000000189823Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:52.878{414E8EDF-B0BE-6218-2B00-000000003702}2820C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local52656-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local389ldap 354300x8000000000000000189822Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:52.644{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52655-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000189827Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:55.296{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B636A3F5F6CA8C656DB0A28B4E3CD1C,SHA256=63893D1B79648A52B4302A525BEB46F50E2DD4608E34BF8950D06417BD62BA16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134957Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:55.096{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EF847199329D92C8AED4885375A0AFD,SHA256=3D6726BA5AA3B973B299572D345759F6943D40317F9A4CC4D997EED98DDA030F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134956Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:52.616{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50952-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000189836Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:56.843{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-C9E4-6218-D703-000000003702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189835Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:56.843{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189834Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:56.843{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189833Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:56.843{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189832Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:56.843{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189831Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:56.843{414E8EDF-B0AE-6218-0500-000000003702}416372C:\Windows\system32\csrss.exe{414E8EDF-C9E4-6218-D703-000000003702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000189830Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:56.843{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-C9E4-6218-D703-000000003702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000189829Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:56.844{414E8EDF-C9E4-6218-D703-000000003702}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000189828Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:56.405{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B7629EB8221EDE561D7E83507E50C35,SHA256=AD187FE5F7A8EBF5469E7E9CAB325AF3DC7FC0DDD64EDC1BC2C60AB242ABCD25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134958Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:56.111{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99994F8B45ABD893D5B4A0C19B5E2731,SHA256=F0130AA06F177F1810ED3F721AA348E6CA48E4C506BB38793812F67A9A9A6733,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189838Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:57.874{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB0855A101B58BF77BC8E426C8D19567,SHA256=F006A34676BEDF8652BE56EEE68B485DB1B4E77782518C17E256BFB76150DD11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189837Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:57.421{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39E85DB38C4E25BA8FAA7E3FE9FEF920,SHA256=1DB1FCD6FCF061D6A2FD7ED0951047BE3ED7A8A35AD94C301AE3203F67B1E8BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134959Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:57.127{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B71F61FE74CD43C9929B5EB2959DE9C,SHA256=7F972C261A879722930E2E1549943CBDE5142A4695EF45F87103B5663061B5F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189839Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:58.593{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B3390D305C98760B462089849484799,SHA256=2A0779BC5CD037127FB7B75C8CF00AA18CE11020540D084EC5140304BE5034F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134960Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:58.143{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=714257AC7A804A02234C7187CD6BBF56,SHA256=98FDF94021722DE2F46AC48F0B1C672F9871859F15148A73E6590EC427ECF504,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189840Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:59.718{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53C7722EF09112E4D50C4C2EB4038811,SHA256=C7D9E167D95B175331601F5F5EC081B77C67AF54652EAD05C8F9DFAD856012CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134961Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:59.158{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16B9F125587DFF79E9360DDBAF1FC56C,SHA256=B7DB855AE96233E77807FF0A9103C1BED50FE9846EC8CB19D7934F6022E89F1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189842Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:00.780{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58FF99882D9F6C6546875E9237C7A538,SHA256=09F692A5C186896B15B8720D2D27B476414180F5A2F257628F64BA09DFAF16F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134962Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:00.174{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA6C449CDAF9CF620E14F26D887B8084,SHA256=36BD0611B89773DBE85675366B9066FBC7F2A98073109B1ACC6E29A34657B9DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189841Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:21:58.581{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52657-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000189843Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:01.812{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=339250449AD2519DDBC72A9EACBAE9D9,SHA256=FC5E2D3993EE2D6629606F2AF92409C0B8222846885916ABAAF58F0C0B8CC099,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134964Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:01.190{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ED65398B81B901BF5A690DD5BD8CBCD,SHA256=AE79C4C60482244A3D58F93D9CB153F584197831E19E78CCAEEDB90669C90948,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134963Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:21:58.616{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50953-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000189844Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:02.843{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=307AA071A28DEEDABFFCE3AA818DFFE1,SHA256=6807629A0137B8A201AB633816F4064B240DD3A55419064A510A05D30E884997,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134965Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:02.205{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C31E745FA765286A88798B79456D0CCE,SHA256=3A92365ED98B464EBC6CC43C31904B06378136A4C53D6D41FA591EE34251F4A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189845Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:03.843{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFAC7A203FD9C327E8318FA3C73BD53C,SHA256=26510CE738C8ECF9202ADC0018CCA364B2B87FE337881C23D7B18466DF48D46F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134966Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:03.221{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6773D4169CEECE0CA4C0ABAC9C9CC25F,SHA256=7670195BA76A6A164D0EF8C8CA6833E465AEEB2B028998C3F1AF4423B064F445,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189846Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:04.858{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5583E984F8D4130B57A8BE42FA06344,SHA256=F9294CFC2D2B4DB863BFADC80BC322ABB4020310375D89199219FB3EC4ADBE30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134967Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:04.221{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0983F7961494A676056628EF5C20A7E6,SHA256=7154FDA5674E0317713DE1BE2BCFE354B15D7158E831B51A806EED0F1CC06434,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189847Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:05.874{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B0EAF24C0B6D5EA4C0723907FC3E840,SHA256=4548625459B06E096FD01A5398442BEACD58C649681EBD823107A4863459627A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134968Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:05.237{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E13ED048A27309C1A70DAC2C4BC77BB3,SHA256=3117150EF3D5129F0336CF13D2B29533B6B9AA017340D264992F6227C8A661AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189848Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:04.581{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52658-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000134970Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:04.569{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50954-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134969Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:06.252{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B22278F68BC34065F031E1E01DE9DC5,SHA256=AFD3ABD511EEF25B976BB4FC2AF9B411792C1D93A679B8406928A80926B025F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189849Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:07.093{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A3A6A0C3AA9F8C90DCF93FBC64B0CAE,SHA256=CD79938EE7C037A60B4715496E56E2F387F7BA2297C9FC3578A0D505AF501BE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134971Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:07.268{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=673C5D3B13843A4D9C356DC47F723445,SHA256=B54D79E0128E297C292DFD6C85E2CBC549313076C39405382983996C75F4A3E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189850Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:08.093{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42582C3F2DA9E618E9BE4BF6D8D92677,SHA256=DD512A323A7180382D6E1DAA561B4C00F89CA708130E5DB16508A7A47EE78153,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134972Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:08.268{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B97DCB2E63DE0F6C616191C51A9A2A19,SHA256=EFAD92404F87F422C8A68B6D1710E055D4B08CEFCFD86F5263A546CA4A3AC46C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189851Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:09.218{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=756DDF9C6A63AFC51190124D2946E2B0,SHA256=E206445B7938AED8E6D7552DBC70D5F5D6211D890D05771A75C608AEBBC0BD73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134974Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:09.270{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74E2BD36D247DE1A20B82D014E4E39FF,SHA256=2FBF61BAE798AAF7FC661C2138D66DA82BF731F83D853F68E6ADAAF105FA4C40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134973Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:09.085{6AAC6DF5-B0B2-6218-1D00-000000003802}1952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d7ccee276d30a4b6\channels\health\respondent-20220225103429-104MD5=FBD42F5F8AA0DC0DD6067820063FF10B,SHA256=AAA41009555F09EFB0ED817562D7125DD50A33AE671816E82835424EE5CAE232,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189852Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:10.234{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49D1D4BBBE9C2412595623CE3DB778FE,SHA256=F434A15CF0931A55F6E0A3B8C87F875BCC06EE682860092746BCEE442EE7A6FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134977Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:07.976{6AAC6DF5-B0B1-6218-1300-000000003802}108C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:207d:26ac:f5ff:fef0win-host-tcontreras-attack-range-933546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 23542300x8000000000000000134976Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:10.283{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=475B30E974DD5E08E88FB3FA7F6592D6,SHA256=C24C358191180E06F0FDEC598FA6EB18043526377B5299358D494E5F9CDB0440,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134975Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:10.083{6AAC6DF5-B0B2-6218-1D00-000000003802}1952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d7ccee276d30a4b6\channels\health\surveyor-20220225103427-105MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189854Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:09.690{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52659-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000189853Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:11.312{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75257B04BCFE95B770D207C2F7A604C9,SHA256=71796EBD31CFC037C3A9A6F15EF988BA113697F3FB58DDAE5929D6DADEAA1FC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134979Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:09.631{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50955-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134978Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:11.286{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D93ACDD54CF3BC302BC29E5CB94E9A69,SHA256=C3C8270E44141969E6475E82D39549C5A1BAB9A4A5DC9264B74B2B01A74CBAAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189855Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:12.312{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99084DD942DEBB9FFE68E3BDB75847B2,SHA256=7CD80248A6E090B5BB4762D8BC242DE5D7641439D754537639E632068B0A0AF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134980Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:12.317{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1F4898C1B437CC51B44965CA4C2CD74,SHA256=0CA3148E64364F1A8F9DB64BDFBF09FA19A7639D3A9D833A442BB9E5D1884797,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189856Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:13.327{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F36D38DEDF5E533B48D99192FA09E6C,SHA256=A04464F07ACB23CD62065FC911BD75157FF5BDA979AE9B3713D95DF9375942AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134981Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:13.317{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8951A6B09C714AFD3DB0B78B3E7BBA6E,SHA256=A0DCDBA2FF2C454EAAC4C255AF2B2511D39CE0F51E7B4AD9842B1CF7E5A78B94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189857Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:14.343{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DAC367F77F7B0E33D70E888888109ED,SHA256=11DB69658B08A22084A70DF0FDC84124F7672AF9D8B00984F49110D9E897EA39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134982Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:14.332{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72970FC91DA46B350B47B313F63BD05E,SHA256=D0DEF0D1EC5C8B6E8CBD41D2AE8F1BAF0A6DD8A017352E7B2B224FBC879E74B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189860Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:15.359{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47E4EAD8721822F780C0C6DCF077FD5B,SHA256=EBB2D135F660A0C0A36787A5BD8EEB3CD8C5B15D933B21EB07D46A2DEB322BC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134983Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:15.348{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6895A1E102FCE61958CE37E59656EC0,SHA256=8FC836AD5A1F0B5FAD80F0D7A2D954FD395FE9A30826A492A553F25E5E0E752A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189859Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:15.030{414E8EDF-B0B0-6218-0D00-000000003702}9005868C:\Windows\system32\svchost.exe{414E8EDF-C88D-6218-AA03-000000003702}4564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189858Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:15.030{414E8EDF-B0B0-6218-0D00-000000003702}9005868C:\Windows\system32\svchost.exe{414E8EDF-C88D-6218-AA03-000000003702}4564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000189862Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:16.374{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71EEF342BD9E20B46FC092FEDF3746FF,SHA256=CA2F839392CEEC7E8DCD560878285FA5094C8215927BA1F917DBA0A726EFA9CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134985Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:14.633{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50956-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134984Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:16.364{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA8B7169C7EEDB28BACC766BEEBF41DA,SHA256=FF6F2AAF13E4E49D9B98001A8EAF2A4D7ADE6193AA07DFB486F5E946151336D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189861Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:15.643{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52660-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000189863Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:17.546{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A24AA002223980D1F86A1B38F84F705C,SHA256=5248C460C424840D18CD6FE08121AE3A5CFDB58E786B10374CF198895EBEBEE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134986Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:17.379{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B56AD09CD31DA360A2F6E535AC5D1E4C,SHA256=0F03ACBB800E088BCBD4D3B7FC50C8C0869E4B31130F3D74C5970B4C2B0CEB35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189866Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:18.640{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09AFFCBA168E5898DD1FAE6148794421,SHA256=3F1DB76EAB8C91F006B726D302932811B4217616746A56AAC3022F90A607C32C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134987Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:18.395{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94377A54555E845331D2765EF3634728,SHA256=F946E0F11BABD72B012C6D7AAEC22500C4877D1725AB73BBF9B7B2CDE4D1253D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189865Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:17.489{414E8EDF-B0BE-6218-2A00-000000003702}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local53973- 354300x8000000000000000189864Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:17.488{414E8EDF-B0BE-6218-2A00-000000003702}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local60261- 23542300x8000000000000000189868Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:19.879{414E8EDF-B0BE-6218-2400-000000003702}2716NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0cad71091a725587e\channels\health\respondent-20220225103441-104MD5=E961008872A85D9E7B2EDCDB9076BE5A,SHA256=4C7B4263F3F8553ACCFCCC53A0FA56737D447810FFCB4A43A3BA8D688A9FDFED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189867Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:19.704{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06B8FF2912E79518A469D0A03B8D468B,SHA256=4D812546C013AF960445D4601163915E1D34673021550BDF8ABEC5AEBDA90D1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134988Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:19.395{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BF3FBD0CCC2FE63A808ED83659B686E,SHA256=78C02B6EBACFE56115F5F2FBC3476304381DF50B65F1475F2A001F52F427D2C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189870Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:20.880{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=762EAB5DED9CFCAF34E7AA3B6334C94D,SHA256=8EC0A05A16BEC611BCF3A93730D9388870588D798DBD0D642A81736963CF674A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134989Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:20.411{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3E482DD3A337EC2B50ECAC743953624,SHA256=827EA517F4441C4166BCDAE659E9D525BC3954A94A31068C48A9FD22CD556C07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189869Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:20.877{414E8EDF-B0BE-6218-2400-000000003702}2716NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0cad71091a725587e\channels\health\surveyor-20220225103439-105MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134990Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:21.426{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E43D38AB39076A18CBFB2F680D7930E,SHA256=87276528A8E01FE578E00CFA4F21770D285DE09B74ED98D6EEFB19635E29BEA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134992Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:20.555{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50957-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134991Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:22.442{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F845D0BB58BF43B762D895B81552164,SHA256=A430388C12BB0F170B858A1005C88DC69A990E2A3B967542EB4DB9027BBDB978,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189872Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:20.707{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52661-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000189871Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:22.112{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=591FB49D224A93D89A3E95494848DB47,SHA256=B789ECCEDC2EEA78E18B67A28BEC9C162100A07B12794B084D5E63265A8F9F1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134993Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:23.458{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A39515C1A014A2A8EDD81BC057A8F06,SHA256=6451C9C7DB858C67A71C805711B9E1AC79850A1EA00611AB0ABB8A921747349E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189874Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:23.815{414E8EDF-B0B0-6218-0D00-000000003702}9005868C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2700-000000003702}2764C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000189873Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:23.128{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=784527C84BF2EF2AFF02CC647F141C0B,SHA256=F3FA9B21DB9E34DFC3D6D33E2FE7DC13678876B6BBCFA1B0B7690B229E83C4F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134994Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:24.458{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A76FC86D9B5A06D3D231034EBF1574EF,SHA256=CFF3B009D9B6CD76B9F2F3F38FECB11160EB11500600EF17073AA009C46DF701,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189875Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:24.144{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0A1F54F04A4007455C80FDC12CCF0B5,SHA256=9A2648554C9EB9EBBF83ECB8EB3AA34FC4B62038A35B51F38BB6515B6E27AC64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134995Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:25.473{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A6BB2B635BDCE51732FC9D46D0C64C2,SHA256=408CF4BD7EAD6354AE009BB04D023F6BCD124F5C4677FE57B78DB36E7C9DCA8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189877Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:25.503{414E8EDF-B0B1-6218-1100-000000003702}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=5F5928D9A64671B6F41D1A9CE38BF6F6,SHA256=FC3827303D1103FB8F3A4AB35368AD234A48E21E23D85FD1FCFB501105F5B9A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189876Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:25.159{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E70D3B6769C3A13E978004D5C3DB6CF,SHA256=11291AD3CB12EFECBF7C8636C52578041B4EA1491FDEB131FF5342D15CCE381E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134997Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:26.801{6AAC6DF5-B0B1-6218-1300-000000003802}108NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=276C2A179746C1D75F90A97CEE069F73,SHA256=06F5F26DA346AEB66AA772FD3AE1849CB4635D46AB43AF4567B1343EFF56FF7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134996Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:26.504{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE5073D4B929C2FDF4B92A1AEBB13EC4,SHA256=554894F3FFA00BA7A2FCDD7F224398D52968EB6C364B77A26555694ACCF1A077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189878Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:26.394{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=654193A6592C1C8F4019812B930AD1B3,SHA256=60CE97042EB6463DD62F86C4FD176E6CCE7B6B40DD205937CF902E6BDAC66412,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134999Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:25.758{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50958-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134998Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:27.520{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B552708EC069A95E4849B6F614D0338,SHA256=03B5FFF4EE3FEB37A4605920599E5419AFDE0F31CDA7ECA2167074E0A2A18A24,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189880Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:25.756{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52662-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000189879Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:27.409{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD10B7F16710D09ABC09BF1330F0BD81,SHA256=67EABAE98065CC1C08F114D159F593F52CD6ADCF75F69ACC320C41F888C2109B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135000Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:28.536{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FDE0726432C54491B1C611F524D4457,SHA256=A619DD19B0C416FAAB6F2D0FD518D9CE955EC516B4E8BD5BA474F12197C9C35B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189881Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:28.425{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85A630037693D89B8CFA40CFE6EB4BF8,SHA256=4BDE0CC90ABBC0BDE9DCE424917F659FCEA71FA2B88BA6DB13E1C61040CE2C50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135001Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:29.567{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A390BCAC6D006EA89F2E4FF45B6CF6A2,SHA256=8D0A0D120D52F66E76A798675DD680A7868A1708A12BA81A44ECD7929934ABE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189883Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:29.456{414E8EDF-B0B0-6218-0D00-000000003702}9005868C:\Windows\system32\svchost.exe{414E8EDF-B0B0-6218-0C00-000000003702}840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000189882Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:29.441{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D5BCC0A9FEF06FE901248172E7B56C2,SHA256=904AA31ACEE4DCFA9059C772C3515C12B298CFBA6E089D5DBC22CB68EFE35002,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189884Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:30.628{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEAE8F901DAF7B99C8B53E2E7A88A60C,SHA256=056511FCE70DF5B4DEDD2421707F989DA62D9620C89469B9F6B81A8492D1C593,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135003Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:30.567{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B51EA2DD0201E31CD99945187AAF830,SHA256=4018F5C5055D9423E508A56EFBFDF8A53718C692FEF44F5C434B84AB270A2920,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135002Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:30.161{6AAC6DF5-B0B2-6218-2200-000000003802}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4A396A40DE4AD844AFDFD6BFEE34209D,SHA256=ABC582D2644B8C5C1CF17206963A01B55D9A40BBB1979B03D8F2D216AA803ABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189885Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:31.644{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4FA193A933C995B7CC2E346CBE31B99,SHA256=566872C618272C7B5248C82BE53B78D951F871C15B48222776AFB62FF19C90B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135004Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:31.614{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C14AD1433A11F48D91413A0E5B8A8B7F,SHA256=5A4583E879CC11E7F54C23A2037B50101C29114F433EEA2606E3AE778ED6DD6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135006Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:32.630{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5DA5FD9290B1A8973F1F35A0ACC5007,SHA256=8352EFD7D98D5C47A4D27B409BCEA101A3291DC7CD79F153968F8EFE6293C1B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189886Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:32.659{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D8662F8494446060C5EBA69E14A7C08,SHA256=EA74C3F33557859C02F8942041177A0D4F67690B76376841E56412EE0C9BFD6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135005Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:29.649{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50959-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000135007Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:33.645{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDF45CE0409E67936F5714DECB85B4E6,SHA256=75903500301F0E36D29D7362EB055A939FB7E985062F325EFF6242377ED8FE47,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189888Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:31.725{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52663-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000189887Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:33.675{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB9BD382DDB7DBD69C6ABBE7588D197C,SHA256=10AE67484193554C7A7230950DC745DCBD776EE821EE1881DCFFBD061685F9B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135009Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:34.661{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D511D0209839893AB23455346919FA12,SHA256=E4F45B866834A3FDB7154BBE08280E69558A47F81FAEB87AEAA4F7D2A3512324,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189889Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:34.706{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D37740B45E7EB3432CBACF9A60236616,SHA256=8CB11A02F0DE3FEAA86385DA07DFB3D22878B4612F58C13B31031043D922DDFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135008Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:31.758{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50960-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000189890Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:35.722{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01EF91DE4CF367371CEB0F7029E08CA3,SHA256=15C4ADED132F03A3C3819B9EA7E495D6EE7982C464F8118A01A6DE45C33ED006,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135010Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:35.692{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67FDB7C0612E21E613BC89F44BD045FF,SHA256=54F4AB238FE263E9DE210B2AFD39EC309B9FD4DB110F98F1491AE75E4B32A762,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135011Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:36.723{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86C31B5728C41FFBBD7589522FC419C8,SHA256=1A8EED9B56D6DD0ED349E3DA4BEB87991857E3C1150718563C0DBCD18BB3BDF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189891Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:36.737{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A628CA56242E78646A1F402DC37C5AC3,SHA256=BAFD471D4E7246B4068C03A35FC73355DFFCEFB5ED39AC12BC47026B9710507D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135012Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:37.755{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C57C67056F7967D7771C9E1102C70351,SHA256=23A94E94B4BF5F8E9C4115C5CA2FBB03E0369D90E96D18E9D5EEA0593FBA039F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189892Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:37.769{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2D71FDD1DD1E070C41A1F32FC3B364C,SHA256=917B662C82C5F3E99E03B413B76E943559E07E0337AD44E2857F84F39E3F6CD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135013Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:38.770{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51EA407299EB663363DC5665181370C8,SHA256=E3E01990E1763A4F95913CB0B5A8EDFF9A02899356AD3544942548D108AE2D0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189902Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:38.831{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E66BE73E3F207CED99D5F7749E5D84C9,SHA256=2616CE333D0F014D2489DA1E981ABA0F5A363980F0FCFA7DF598E69AF65928D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189901Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:37.600{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52664-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000189900Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:38.550{414E8EDF-B0BE-6218-2900-000000003702}2792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4A396A40DE4AD844AFDFD6BFEE34209D,SHA256=ABC582D2644B8C5C1CF17206963A01B55D9A40BBB1979B03D8F2D216AA803ABE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189899Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:38.456{414E8EDF-B0DB-6218-8600-000000003702}49565720C:\Windows\Explorer.EXE{414E8EDF-C88D-6218-AA03-000000003702}4564C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189898Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:38.456{414E8EDF-B0DB-6218-8600-000000003702}49565720C:\Windows\Explorer.EXE{414E8EDF-C88D-6218-AA03-000000003702}4564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189897Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:38.456{414E8EDF-B0DB-6218-8600-000000003702}49565720C:\Windows\Explorer.EXE{414E8EDF-C88D-6218-AA03-000000003702}4564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189896Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:38.441{414E8EDF-B0DB-6218-8600-000000003702}49564104C:\Windows\Explorer.EXE{414E8EDF-C88D-6218-AA03-000000003702}4564C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189895Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:38.441{414E8EDF-B0DB-6218-8600-000000003702}49564104C:\Windows\Explorer.EXE{414E8EDF-C88D-6218-AA03-000000003702}4564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189894Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:38.441{414E8EDF-B0DB-6218-8600-000000003702}49564104C:\Windows\Explorer.EXE{414E8EDF-C88D-6218-AA03-000000003702}4564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189893Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:38.441{414E8EDF-B0DB-6218-8600-000000003702}49564104C:\Windows\Explorer.EXE{414E8EDF-C88D-6218-AA03-000000003702}4564C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000189903Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:39.831{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=928948332B5E16800510C34147074473,SHA256=E69EEED1C3A86BA5ABDAC2E91822CD8FA149CB29E132A2AD89AAF81479AF0BC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135014Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:39.801{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23265AAA9492D4EF95C9B34AC9FE514E,SHA256=BC0C53F6FDFFBA994ABF4E55F69355812AE5500230E4CC7DCAE600B197697FB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189905Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:40.831{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDBDB1CCE7633BE16FFE21703BC311EF,SHA256=FC64189969DE95F91C3D6666F771B92EAED94AFFAF272D73139A4D478C90B392,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189904Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:39.038{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52665-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x8000000000000000135030Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:40.848{6AAC6DF5-CA10-6218-8903-000000003802}9322660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000135029Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:40.817{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E7F4F89A5BB9ADF5DE0B15B3A86EA30,SHA256=AA761754394337E0C46286607709FDE407F9E8B7CA47D7E0F7DAD2FA52833BA5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135028Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:40.692{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CA10-6218-8903-000000003802}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135027Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:40.692{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135026Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:40.692{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135025Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:40.692{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135024Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:40.692{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135023Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:40.692{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135022Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:40.692{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135021Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:40.692{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135020Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:40.692{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135019Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:40.692{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135018Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:40.692{6AAC6DF5-B0AF-6218-0500-000000003802}4241012C:\Windows\system32\csrss.exe{6AAC6DF5-CA10-6218-8903-000000003802}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000135017Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:40.692{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CA10-6218-8903-000000003802}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000135016Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:40.693{6AAC6DF5-CA10-6218-8903-000000003802}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000135015Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:37.734{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50961-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000189906Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:41.878{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99B8A51A6ABE2F3CE19025E679E53DEB,SHA256=5297FA3F1C88DDAEB1D1BCE56EE7EAEA125C3730D5DCE654D4F22A9EDD94119D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135046Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:41.817{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB62711AD379F4B9E739775F3B46E437,SHA256=AE05743D146F42EB3A51F1DA3D19EF458522F97882DCF35D6D3D8945A189CB0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135045Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:41.723{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6579CF4AAE0E0AA22FBB7516CD3FF39F,SHA256=92AFB4EC971792E814CC9513990512A80761A9EB1D2967F92E507E44D80FE829,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135044Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:41.723{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99119AB04634F743D9ED02EA0480BF4B,SHA256=DA50B377EE3E2AC566CC57EA4A8F829A04BFFEE61542D142DEB37CEB7AB92A97,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135043Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:41.364{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CA11-6218-8A03-000000003802}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135042Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:41.364{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135041Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:41.364{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135040Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:41.364{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135039Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:41.364{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135038Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:41.364{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135037Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:41.364{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135036Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:41.364{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135035Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:41.364{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135034Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:41.364{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135033Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:41.364{6AAC6DF5-B0AF-6218-0500-000000003802}424540C:\Windows\system32\csrss.exe{6AAC6DF5-CA11-6218-8A03-000000003802}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000135032Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:41.364{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CA11-6218-8A03-000000003802}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000135031Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:41.365{6AAC6DF5-CA11-6218-8A03-000000003802}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000135060Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:42.864{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFDA58C1561C3CE9020879B9302675B8,SHA256=11C363D6136C66F1B79007EE16864CEE1F1872367C578E21CE4D55FDE36CC79A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135059Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:42.020{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CA12-6218-8B03-000000003802}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135058Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:42.020{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135057Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:42.020{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135056Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:42.020{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135055Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:42.020{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135054Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:42.020{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135053Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:42.020{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135052Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:42.020{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135051Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:42.020{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135050Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:42.020{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135049Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:42.020{6AAC6DF5-B0AF-6218-0500-000000003802}4241012C:\Windows\system32\csrss.exe{6AAC6DF5-CA12-6218-8B03-000000003802}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000135048Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:42.020{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CA12-6218-8B03-000000003802}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000135047Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:42.022{6AAC6DF5-CA12-6218-8B03-000000003802}2988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000135062Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:43.880{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A74FB213EA46C47028036D637198B9C,SHA256=EEE2761B8080A075FF9FEF7EB9A1D2B54A5BA31E13B39FB94A5DEC1678E51A4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189908Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:42.601{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52666-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000189907Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:43.113{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34314519924D9B1E025CA306F7EF1857,SHA256=2D78AE7D38A7CC9C560E9DE212563F2275526DED2A81C996695369EAE231002E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135061Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:43.036{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6579CF4AAE0E0AA22FBB7516CD3FF39F,SHA256=92AFB4EC971792E814CC9513990512A80761A9EB1D2967F92E507E44D80FE829,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135078Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:44.927{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A0B2C7436BE0C5752C7914C21978692,SHA256=825745796F4847812207C231F113306C3B0F80D027A08F665BCF60D5F3B9FCFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135077Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:44.927{6AAC6DF5-CA14-6218-8C03-000000003802}15361900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135076Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:44.739{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CA14-6218-8C03-000000003802}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135075Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:44.739{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135074Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:44.739{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135073Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:44.739{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135072Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:44.739{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135071Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:44.739{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135070Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:44.739{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135069Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:44.739{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135068Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:44.739{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135067Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:44.739{6AAC6DF5-B0AF-6218-0500-000000003802}424440C:\Windows\system32\csrss.exe{6AAC6DF5-CA14-6218-8C03-000000003802}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000135066Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:44.739{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135065Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:44.739{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CA14-6218-8C03-000000003802}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000135064Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:44.740{6AAC6DF5-CA14-6218-8C03-000000003802}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000135063Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:42.727{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50962-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000189909Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:44.159{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F40DAC6AE949432BAFF4A334062F5416,SHA256=93C60359A7EF9D670558D72B5BFA9363D9AAD41573124BB715186CF3E7C7A848,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189910Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:45.159{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDF3E1ABC462935FA79224BB8FC65651,SHA256=C38A8DC26F0C63AF267974D568F24F8362BFB8D31E56F047CA01C954FFC9D6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135093Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:45.973{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42E7F6E53609C160E2DDD7169D351EC6,SHA256=742A7F3A3198DF818F537AEA5F820ABBCC334CE6C2C1D41ECBF5416A29364FFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135092Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:45.630{6AAC6DF5-CA15-6218-8D03-000000003802}7163420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135091Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:45.411{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CA15-6218-8D03-000000003802}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135090Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:45.411{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135089Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:45.411{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135088Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:45.411{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135087Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:45.411{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135086Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:45.411{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135085Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:45.411{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135084Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:45.411{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135083Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:45.411{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135082Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:45.411{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135081Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:45.411{6AAC6DF5-B0AF-6218-0500-000000003802}4241012C:\Windows\system32\csrss.exe{6AAC6DF5-CA15-6218-8D03-000000003802}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000135080Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:45.411{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CA15-6218-8D03-000000003802}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000135079Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:45.412{6AAC6DF5-CA15-6218-8D03-000000003802}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000189911Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:46.284{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52784F750FCD615A9464B63071CD0E3D,SHA256=D5A9CD607A924F245987805288F429CCF0C196DC0F72978A2CF17F8F56949AB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135107Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:46.895{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CA16-6218-8E03-000000003802}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135106Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:46.895{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135105Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:46.895{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135104Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:46.895{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135103Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:46.895{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135102Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:46.895{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135101Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:46.895{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135100Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:46.895{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135099Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:46.895{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135098Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:46.895{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135097Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:46.895{6AAC6DF5-B0AF-6218-0500-000000003802}424540C:\Windows\system32\csrss.exe{6AAC6DF5-CA16-6218-8E03-000000003802}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000135096Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:46.895{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CA16-6218-8E03-000000003802}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000135095Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:46.896{6AAC6DF5-CA16-6218-8E03-000000003802}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000135094Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:45.989{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=424787AB052ADF084B742768C16E2D01,SHA256=E2FB5102E1058B6004A508659604C112F20034FEBBF619B79D8452DC43F132C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189914Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:47.300{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC4E2CC281524A25DEC262609EA923A4,SHA256=8021508B592FA7487801828D1525A9BA632F9116BCD2B7F7D7106608BAB27A3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135110Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:47.927{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FB2A1833EC6648AEBC5D4A9C858D77D,SHA256=56A4DA15889F313D910DAB5B797B1ABB3C9AFBD197DB1891033D9B742F39B252,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135109Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:47.098{6AAC6DF5-CA16-6218-8E03-000000003802}2856796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000135108Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:47.036{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D05C3CFF22EA606D1B129B94AF2E94E,SHA256=DF82C8A61AF012D15E9100A93C7FCCF3ED371025D12B81C86CF1283F9CADB8CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189913Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:47.191{414E8EDF-C88D-6218-AA03-000000003702}4564ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=9A030CA680B9977CD820E6D983AB6913,SHA256=F3DE2A2092FCE82773283814A40A0306381E6D81F27C42ADDC8F9AC7344FF96A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189912Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:46.340{414E8EDF-B0B0-6218-0F00-000000003702}100C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.125.157.80-52904-false10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local3389ms-wbt-server 23542300x8000000000000000189915Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:48.316{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EAB7EB342539C596F8E344214AF01BB,SHA256=81D960762ADF261FB8944841208392AAE8F62A1B5BB220F29E38656C4BAE6A9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135124Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:48.177{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CA18-6218-8F03-000000003802}1712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135123Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:48.177{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135122Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:48.177{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135121Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:48.177{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135120Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:48.177{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135119Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:48.177{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135118Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:48.177{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135117Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:48.177{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135116Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:48.177{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135115Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:48.177{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135114Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:48.177{6AAC6DF5-B0AF-6218-0500-000000003802}4241012C:\Windows\system32\csrss.exe{6AAC6DF5-CA18-6218-8F03-000000003802}1712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000135113Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:48.177{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CA18-6218-8F03-000000003802}1712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000135112Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:48.177{6AAC6DF5-CA18-6218-8F03-000000003802}1712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000135111Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:48.052{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFEC2C5294F4E089C0AE70AF6162D8CA,SHA256=98209FB92DECA7FF7ADC973AF10013C54BCDE9A971A77F4AE7181ACBFE0B0F86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135126Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:49.239{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFE64C8AAE8E67A804D953EC638CBA4A,SHA256=F16A5A6BABC3FE30C783D2FE26443EC49D8F58552F4D85804E4B391EF78B1F28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135125Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:49.114{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B3AD686001F0004C67711565DE4EF61,SHA256=C88071EE0A66E44A801F5E9C77B086C926E3456DB31739C3A56794018BA7C277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189916Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:49.316{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74ACB415DC7FD47F8E68D12B99C4BC38,SHA256=BF7E942AD685CE10D05D8ED996F5B3E13E0EADF52DE3DCEC8B9D87952C9174B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189934Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:50.878{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CA1A-6218-D903-000000003702}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189933Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:50.878{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189932Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:50.878{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189931Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:50.878{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189930Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:50.878{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189929Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:50.878{414E8EDF-B0AE-6218-0500-000000003702}416372C:\Windows\system32\csrss.exe{414E8EDF-CA1A-6218-D903-000000003702}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000189928Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:50.878{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CA1A-6218-D903-000000003702}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000189927Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:50.879{414E8EDF-CA1A-6218-D903-000000003702}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000189926Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:50.394{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33BB8100298E555D1F1FCD3AC5C87DEC,SHA256=58450C38AFE01349D9F0EA04E6B164D10DBA03DDF3278CB6C9AA2766F9995CF3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135128Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:48.602{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50963-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135127Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:50.114{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A1EDE11FDBE15FBD84984B8557024F1,SHA256=E9C3D34615C7E6CF5453A9DB5A63613FD0319B66BAA4261D650BF98A3D915C76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189925Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:50.378{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CA1A-6218-D803-000000003702}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189924Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:50.378{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189923Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:50.378{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189922Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:50.378{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189921Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:50.378{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189920Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:50.378{414E8EDF-B0AE-6218-0500-000000003702}416532C:\Windows\system32\csrss.exe{414E8EDF-CA1A-6218-D803-000000003702}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000189919Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:50.378{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CA1A-6218-D803-000000003702}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000189918Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:50.379{414E8EDF-CA1A-6218-D803-000000003702}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000189917Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:48.584{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52667-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000189946Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:51.785{414E8EDF-CA1B-6218-DA03-000000003702}61001928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189945Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:51.550{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CA1B-6218-DA03-000000003702}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189944Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:51.550{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189943Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:51.550{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189942Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:51.550{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189941Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:51.550{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189940Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:51.550{414E8EDF-B0AE-6218-0500-000000003702}416372C:\Windows\system32\csrss.exe{414E8EDF-CA1B-6218-DA03-000000003702}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000189939Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:51.550{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CA1B-6218-DA03-000000003702}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000189938Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:51.551{414E8EDF-CA1B-6218-DA03-000000003702}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000189937Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:51.441{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5D09349D07E70992360A143E59E2CAB,SHA256=F26172FAA8EF69198C18B7EEB1E3D7B9FF27B44DEE0AAA979432BB2D5C31BC7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135129Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:51.130{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79B5CD63E5951C7CC4105EC4E452F0C4,SHA256=36D36CD3FCDEC7889FE1961A51203FBE5D845559DC68DDBB0D60D75A315AE26C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189936Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:51.378{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78A4D8E5CE6D3627F0DF00BC24949CA4,SHA256=AC7E4EB2F1691122BBA7D9901BAFF0F283697D799871010A9396C01823EECE49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189935Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:51.378{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7C157EDB694AE355462E0D92EE9A446,SHA256=037290789765092136CF7A9D66CD15EFC4B7A5717352C0A9083EB4293C15D54D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189957Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:52.550{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78A4D8E5CE6D3627F0DF00BC24949CA4,SHA256=AC7E4EB2F1691122BBA7D9901BAFF0F283697D799871010A9396C01823EECE49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189956Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:52.441{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A603155D31A03F0AEC876EF9044C714,SHA256=185AE8D37608D9101988FD7D3342A270D4897866EDCF5C130DDBBDAB7A79373A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135130Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:52.145{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB5EDDA6EB0378047D7AA696728B0162,SHA256=977491D537AEA81901A689EBF69632A533590FC4E03ACCAD4D7A03A3F193CE99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189955Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:52.224{414E8EDF-CA1C-6218-DB03-000000003702}5885648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189954Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:52.050{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CA1C-6218-DB03-000000003702}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189953Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:52.050{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189952Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:52.050{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189951Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:52.050{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189950Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:52.050{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189949Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:52.050{414E8EDF-B0AE-6218-0500-000000003702}416432C:\Windows\system32\csrss.exe{414E8EDF-CA1C-6218-DB03-000000003702}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000189948Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:52.050{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CA1C-6218-DB03-000000003702}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000189947Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:52.051{414E8EDF-CA1C-6218-DB03-000000003702}588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000189976Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:53.894{414E8EDF-CA1D-6218-DD03-000000003702}1324388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189975Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:53.722{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CA1D-6218-DD03-000000003702}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189974Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:53.722{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189973Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:53.722{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189972Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:53.722{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189971Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:53.722{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189970Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:53.722{414E8EDF-B0AE-6218-0500-000000003702}416372C:\Windows\system32\csrss.exe{414E8EDF-CA1D-6218-DD03-000000003702}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000189969Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:53.722{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CA1D-6218-DD03-000000003702}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000189968Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:53.723{414E8EDF-CA1D-6218-DD03-000000003702}1324C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000189967Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:53.456{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E6A1270F87292DF3B28B54351E1C4EE,SHA256=DAC9A84C11B6AF4052F9D7DD2297BF3162D6293BCA9AA4776D674DA92AF80B4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135131Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:53.161{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A115B415EAD9D5504B0409C039CDE415,SHA256=8D90248B7B26898C7B4FF8924F608AABF110C4BE9A0F3109E430DCBE77F797A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189966Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:53.253{414E8EDF-CA1D-6218-DC03-000000003702}44442116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189965Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:53.050{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CA1D-6218-DC03-000000003702}4444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189964Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:53.050{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189963Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:53.050{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189962Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:53.050{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189961Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:53.050{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189960Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:53.050{414E8EDF-B0AE-6218-0500-000000003702}416432C:\Windows\system32\csrss.exe{414E8EDF-CA1D-6218-DC03-000000003702}4444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000189959Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:53.050{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CA1D-6218-DC03-000000003702}4444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000189958Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:53.051{414E8EDF-CA1D-6218-DC03-000000003702}4444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000189981Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:54.566{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E58DD860C164D77C30F33A9F99397B0,SHA256=66F6CF13C1AE471CE7AE4E02FCAD61FD9A2B300E5C151812D07F9E5A2BA0DBF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135132Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:54.177{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=739FDE885F96CBBFD9773865072A3949,SHA256=B3E948BD00823CD13AB710A8501A08050F6982F37D24BDB5C4F29484692C2DA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189980Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:52.881{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local52668-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local389ldap 354300x8000000000000000189979Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:52.881{414E8EDF-B0BE-6218-2B00-000000003702}2820C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local52668-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local389ldap 23542300x8000000000000000189978Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:54.206{414E8EDF-C88D-6218-AA03-000000003702}4564ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2022-02-25_122247MD5=0C867717096E4008F782E74992758EC5,SHA256=57C0FA6E074C4A825E9AAB96562218005BE653F37ACFABC5F0433F6B6A167244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189977Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:54.066{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91F5E9E8C1BBD095D803B68C8D6A37E3,SHA256=50897D46C3A99372444DA7B9144819031D5629AE2904AA6003CAAC97C014F5D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189990Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:55.581{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65289509D6E0DFB01AB4DE405928E83D,SHA256=33D16911A29F3363410BE806537D21B5A6BB9D66F83887CCFCF8D3878390D3B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135133Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:55.192{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39856EBAA80586A73E7C6B1B79D5CBE6,SHA256=C792D88A6A364146E4CA784377A52731972F2C1AEEF960EC9037F1AAC4A3C83C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189989Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:54.600{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52669-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000189988Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:55.347{414E8EDF-B0DB-6218-8600-000000003702}49565440C:\Windows\Explorer.EXE{414E8EDF-C90F-6218-BB03-000000003702}5760C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189987Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:55.347{414E8EDF-B0DB-6218-8600-000000003702}49565440C:\Windows\Explorer.EXE{414E8EDF-C90F-6218-BB03-000000003702}5760C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189986Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:55.347{414E8EDF-B0DB-6218-8600-000000003702}49565440C:\Windows\Explorer.EXE{414E8EDF-C90F-6218-BB03-000000003702}5760C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189985Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:55.331{414E8EDF-B0DB-6218-8600-000000003702}49564104C:\Windows\Explorer.EXE{414E8EDF-C90F-6218-BB03-000000003702}5760C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189984Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:55.331{414E8EDF-B0DB-6218-8600-000000003702}49564104C:\Windows\Explorer.EXE{414E8EDF-C90F-6218-BB03-000000003702}5760C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189983Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:55.331{414E8EDF-B0DB-6218-8600-000000003702}49564104C:\Windows\Explorer.EXE{414E8EDF-C90F-6218-BB03-000000003702}5760C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189982Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:55.331{414E8EDF-B0DB-6218-8600-000000003702}49564104C:\Windows\Explorer.EXE{414E8EDF-C90F-6218-BB03-000000003702}5760C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189999Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:56.847{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CA20-6218-DE03-000000003702}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189998Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:56.847{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189997Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:56.847{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189996Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:56.847{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189995Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:56.847{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189994Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:56.847{414E8EDF-B0AE-6218-0500-000000003702}416532C:\Windows\system32\csrss.exe{414E8EDF-CA20-6218-DE03-000000003702}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000189993Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:56.847{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CA20-6218-DE03-000000003702}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000189992Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:56.848{414E8EDF-CA20-6218-DE03-000000003702}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000189991Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:56.613{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBC287E6B0B5AD5A2C9C19A1251B1814,SHA256=96999FE80A7096B59E7F9A7F06CAC8D9E1DEF872FD8BE95BC0E773501B90B0FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135135Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:54.555{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50964-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135134Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:56.208{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6459898759890D50F4B0F9D39A775EC,SHA256=1569A544D686D9C1603D0FEF080C68AC24C7D4FB396C7374D69A4A42FFB5E2FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190001Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:57.847{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B15A824B6E20DA474D6E1B88999C3EE0,SHA256=FE580607578FBC72E6424B5C771508A9053C28527FC039EA82F1E615E44D3D28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190000Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:57.753{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=658CFA8E4C095CB0A3227AE90A8A1663,SHA256=6805D1F51E146B071E2627C3D324426E9E00BB2E92C75505429DBD31695568DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135136Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:57.255{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B61997A7D0E077F4A5729D20DC6ED8EB,SHA256=67CF6BA258C2EFEAC811CC198DA1CC576E94ACE66B466B802AEE5EF245199150,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190002Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:58.785{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F719C8B5B49AB86D89C1651F53B0D5F4,SHA256=3EF72A5B4179D66536509E728C7BA12E36B42C72E28BD794BB6F8EB916C672B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135137Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:58.286{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7AE0EFC11E19658830C63FFEA174878,SHA256=4951447ECF279C9CD6D4565DC01E26854F9F89E4F5076A22319E3EDFB40AC43E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190010Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:59.800{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F0AD1F5F0661BBE0D407916FEC91849,SHA256=D03E54B5640C70E53C688AC27A0F162660B94737BE9D2A1191EE40E91904E61A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135138Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:59.333{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5394DA92DB61A7C23194D455424673AF,SHA256=522C7CA87E5E7C5479FA96B93E8DDC33CD69C48F31A66AB88EC163B2FCF8BCC4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190009Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:59.628{414E8EDF-B0DB-6218-8600-000000003702}49565440C:\Windows\Explorer.EXE{414E8EDF-C88D-6218-AA03-000000003702}4564C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190008Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:59.628{414E8EDF-B0DB-6218-8600-000000003702}49565440C:\Windows\Explorer.EXE{414E8EDF-C88D-6218-AA03-000000003702}4564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190007Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:59.628{414E8EDF-B0DB-6218-8600-000000003702}49565440C:\Windows\Explorer.EXE{414E8EDF-C88D-6218-AA03-000000003702}4564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190006Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:59.628{414E8EDF-B0DB-6218-8600-000000003702}49564104C:\Windows\Explorer.EXE{414E8EDF-C88D-6218-AA03-000000003702}4564C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190005Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:59.628{414E8EDF-B0DB-6218-8600-000000003702}49564104C:\Windows\Explorer.EXE{414E8EDF-C88D-6218-AA03-000000003702}4564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190004Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:59.628{414E8EDF-B0DB-6218-8600-000000003702}49564104C:\Windows\Explorer.EXE{414E8EDF-C88D-6218-AA03-000000003702}4564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190003Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:22:59.628{414E8EDF-B0DB-6218-8600-000000003702}49564104C:\Windows\Explorer.EXE{414E8EDF-C88D-6218-AA03-000000003702}4564C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000190011Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:00.816{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F176C909B1DA963068948C4FBD61DA1,SHA256=0A013BD2908360CBAB88C9F57F18508CE7C81236189789987AD7E8DBF783767C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135139Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:00.364{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB4E0950214BBE2F0F30F93BD05CA12A,SHA256=3D96273C9E890736502B0D0945E756F5957D404897B33128520FFBB0AD2D16FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190012Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:01.816{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=755D849A9276B2D238A339CF7BA26F52,SHA256=2271CA4CAF04A097A38F07DF52C6D82AF01B47064B752E3FAB77C0EA0104671B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135140Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:01.396{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D04BFAC62017F8E0FC6672326543E52,SHA256=FE2DA6168F6D36A4FD424F6B82852ED76CD6E4837951A2717EE85CCC8444BE01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190014Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:02.956{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=269CDF9DB53A4179BF56D5B4250693E1,SHA256=E7FDDC680037E414DAAF05120778C95B20D1649018444A946F3CAEA543D39A9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135142Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:02.427{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7703767632A69B2486983F725A29285,SHA256=DF4F1C053ABBE79B6E625C39C844C6E20F56C634C91B02F4349FAAF05D12EC2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190013Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:00.568{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52670-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000135141Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:22:59.680{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50965-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000190015Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:03.988{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED6CEEFDB550B7374668896278515CA8,SHA256=F65FCA5DB994E85D42EC02254C1BAC01D973035B87A075506D4C47575B673792,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135143Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:03.458{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CA85943982B70B48704CA5604085738,SHA256=6BF57C62A33424475944E225240A53E650138C6AE2AC64AD49C8794827FC2657,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135144Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:04.521{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72AAD2AD8BF16654ED4DBCA5E58FC069,SHA256=D90DC62CE47260C7C714B96AB3269996ACD58F939FFBD07D07D805E9F45BD905,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135145Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:05.552{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C1545AB7F38A55135C33F55D18788FC,SHA256=A7FF4B7FE025D66C463193617CDCEC781BCC6E21884CB81BF03645941BD6F36B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190016Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:05.019{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75E3CA97C8CBC695D3F2D51202613D35,SHA256=AF84F3C08ADC45FCDD467E80E42065E9B0D60C2F615AA06D4F5855243437B60A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135146Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:06.583{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=819839A390B1BA8361BBD8F8EC2118AA,SHA256=6EB0C9617B474E887FC347D2BE2FC5156A868C2E116AC70534141C744C9A1FA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190017Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:06.019{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9270003F74D266E1FB0B9A9335BAE695,SHA256=62FE1B6DD0D252071DEF3BA0DFA85A54EE74A6B6775CE3EF814AB9CD5D8AA310,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135147Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:07.599{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5227F1A2E231887B07E1084B1D1FEECB,SHA256=63BE3C4E65E857B872DF7260B2E04482926D18A50133168FAD4BA38C11EDD716,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190019Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:05.647{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52671-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000190018Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:07.128{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=568064F9A6C7F4E09DE6AB1B724E2EE2,SHA256=67C5615A468A7FB46CA14209D124C1F916FD025C880515DA8416F414395E04B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190021Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:08.363{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9536C55D194DC4AEE373C07EC358B8B1,SHA256=0568E6F3EC55014793B929618919716379908EF018C83CDEC7CB8297DE0140D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135149Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:08.614{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE2F0FAB1FAE0A2198E5911C20143C2A,SHA256=2EF06D0A7F518183F4CAEDA39412655B0CD10D26AE59DB081A0DFE65DDCC4BA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135148Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:05.664{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50966-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000190020Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:08.238{414E8EDF-C88D-6218-AA03-000000003702}4564ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2022-02-25_122247MD5=95714ADA2CCB4E220358E6FD4E7149E1,SHA256=D7A6942A347ABB33C5F348E969411E380D564254A8249A951EADA5259A78438A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190022Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:09.363{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8932C34BC271A7D56A29FED4FBCA2AA9,SHA256=85CE17D56B77BCFE8CB5204B7E981225D47B57B16C4A78707B1DDF3C2E719A65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135150Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:09.646{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=880CFEACEC4C6795252C5D576822B047,SHA256=5488B19BCA1F2809AE7BD8F75E107118E8A6EF6434B464F7F3632F5F885604D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135152Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:10.662{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37A1027BECC25E662185B10C9C08C56B,SHA256=1BFEEC2D104FC9DC9ABA3FC1820C1DDD370DB2EA265ACB7F7A9B4FACB8DFADCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190023Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:10.378{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86974124DCCEB498A736F14D352EEB58,SHA256=C28E949098011E133A1391FC091B76806BD3219E0FC100D53B801FEC0F61B2EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135151Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:10.603{6AAC6DF5-B0B2-6218-1D00-000000003802}1952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d7ccee276d30a4b6\channels\health\respondent-20220225103429-105MD5=FBD42F5F8AA0DC0DD6067820063FF10B,SHA256=AAA41009555F09EFB0ED817562D7125DD50A33AE671816E82835424EE5CAE232,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135154Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:11.728{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C39E1EB54254A0964A6FA79B90CFADBB,SHA256=315944B64DB730202433E3B2525E891969F5BD7B6008B0E0FF73D49881C0A127,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190024Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:11.410{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=151ECF19E911B037CCEBB5307FAF29EB,SHA256=9AADA17730CBCE182417D7DCDA9D93D08024BB96C48D0B26D5C4E4A19F11AB51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135153Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:11.616{6AAC6DF5-B0B2-6218-1D00-000000003802}1952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d7ccee276d30a4b6\channels\health\surveyor-20220225103427-106MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135155Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:12.746{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=839A91DD3FDC1A73B76BC7E9E37235E9,SHA256=5D4D9D5ECA181B61C0AE981D68E556D34E6294D4EBE24D153B017A921F1AD0D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190026Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:11.522{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52672-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000190025Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:12.441{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=266EFBB05D871876F389753C24B98739,SHA256=3902FE6D791817EF33A06025265E2C5F06E35965F265516BEEEC8D3809B6565A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190027Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:13.472{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69DF5DDEF4FB2C6139CBE282B622D908,SHA256=770CD93712F6B9E3D9ECF02AD7B29B6D48931C2687B072C1B9036E6BF2C1854E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135156Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:13.762{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E77BA9EF54F4FBA8F7EF6FEEE44D55A,SHA256=F9760313E3E80D961BA4C0DAB22861FF0CF8E8FCCC11BE00BA24B313D5C4C69D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190030Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:14.707{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B3A92B01952CB8B9F2EC304F2FB4253,SHA256=5664081C6D7B27C1316F3250D9DA2D417C9B3F36ABB385A730042757EAB8E7FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135158Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:14.793{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DADEE70452ED394171D84A54036B011,SHA256=F1CFD0E310EB5C19165987E3986EBBA2A81B5F97A167243245A96943E2D1348C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190029Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:14.097{414E8EDF-C88D-6218-AA03-000000003702}4564ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2022-02-25_122247MD5=63AEFF578DDAA8A0B9F280204513B21E,SHA256=3138E9A60FDC95817E5C9196C430057BEAAD12CAA14D2BA378D8994462BF67A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190028Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:14.082{414E8EDF-C88D-6218-AA03-000000003702}4564ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=5016C08F34A98A60FEE7539597F9F8CE,SHA256=B81C10C35D7DD2C5A23C7CC6E92E769736F27D544FBC7B73DA85FE7CE853C858,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135157Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:11.622{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50967-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000190032Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:15.894{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD0B45E124FBBCDE855E9743F78090DE,SHA256=D111B0F21089C5D529291746ED0BA6A92734E1A60ED502B9666952353386503F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135159Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:15.809{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D76CF51FA680B057488070B399D63EF,SHA256=3920D6E8184B097BA1DEC85104FFC701BE4D8238E736933392ADF39638AB1889,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190031Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:15.253{414E8EDF-C88D-6218-AA03-000000003702}4564ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=9B1C4570061D4FA187D7FE1F7E597D3A,SHA256=40DF6944413EDDE01711D6B1DE8357307FF26BB1C78B1CF9F534DB375B797770,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135160Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:16.824{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85D04B4DB8B0894BA49D0C400A993AA8,SHA256=811A8052470CB3C17A28215D1B6888986103F6131F009523261C4B82FCA3B8DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135161Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:17.840{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB6BC8229CF0411B48FCE9C496F03A6D,SHA256=C073F9C9604636473DB1C531B4C3CCD11BB6B8DC4C53E77B304E0DD731650D0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:16.678{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52673-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000190035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:17.535{414E8EDF-C88D-6218-AA03-000000003702}4564ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2022-02-25_122315MD5=A4868BE9031A19FA69F88A18071835C4,SHA256=99645F3AEB912CAD46DC8DF3C9EFA4F203B838B68645E67AC2E792369AC73EA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:17.535{414E8EDF-C88D-6218-AA03-000000003702}4564ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=73B3C0FCBFFE61855FDCA896127DE829,SHA256=212E7AE02767D985EEE3A5D405AF0560685006B93E68AF3AF25339E8F26A537A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190033Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:17.035{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=388320B3EDB3C8E2FE4951CA728E4DF2,SHA256=B21AE7706A3A3AC4BD93AFA5EB3064BFB735C57B460F2313E0AAE5401098AC90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135162Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:18.855{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2429D5EA75344F29B91D11643CC1C5EB,SHA256=2412C4EA321430C4CF02E0D2DD9BA04EECB645C51DD77FFD78EF2F5B3C0F1621,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:18.441{414E8EDF-B0DB-6218-8600-000000003702}49563240C:\Windows\Explorer.EXE{414E8EDF-C90F-6218-BB03-000000003702}5760C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:18.441{414E8EDF-B0DB-6218-8600-000000003702}49563240C:\Windows\Explorer.EXE{414E8EDF-C90F-6218-BB03-000000003702}5760C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:18.441{414E8EDF-B0DB-6218-8600-000000003702}49563240C:\Windows\Explorer.EXE{414E8EDF-C90F-6218-BB03-000000003702}5760C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:18.441{414E8EDF-B0DB-6218-8600-000000003702}49564104C:\Windows\Explorer.EXE{414E8EDF-C90F-6218-BB03-000000003702}5760C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:18.441{414E8EDF-B0DB-6218-8600-000000003702}49564104C:\Windows\Explorer.EXE{414E8EDF-C90F-6218-BB03-000000003702}5760C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:18.441{414E8EDF-B0DB-6218-8600-000000003702}49564104C:\Windows\Explorer.EXE{414E8EDF-C90F-6218-BB03-000000003702}5760C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:18.441{414E8EDF-B0DB-6218-8600-000000003702}49564104C:\Windows\Explorer.EXE{414E8EDF-C90F-6218-BB03-000000003702}5760C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000190037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:18.050{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F40A9F2DF5582EB7785FF5AFA612B22,SHA256=9FD1FE11E81A270F4A1E4D0F4968698B2E789A19440C4C3BC35BBE4AE55F9FB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135165Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:19.918{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CA964CD0E36DD2E87937AE966822763,SHA256=74020F34B465B6B45967ACA0F2F572AEE3F77A7DF068DCE1C2411077A64F876A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:19.285{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9153F0A53E39273D0D06AE129B825588,SHA256=BA4427807DA01F0F0858BFF0F557345234FA0BE5AA67577683710E72346FA5C9,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000135164Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-SetValue2022-02-25 12:23:19.449{6AAC6DF5-B0B1-6218-1400-000000003802}1084C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d82a42-0x790c75cb) 354300x8000000000000000135163Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:17.624{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50968-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135166Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:20.934{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E48FA2B73D403C2F30DFFCF4FC87D3A8,SHA256=CEB7CEDBE5B2A2923B388B6260796070AE35E705A9AC89AB19714627D3504784,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:20.503{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=216A55DF5C195CAA4BD0556B1EC27408,SHA256=15919B368557A093E40C925C84DF8FB8B510806BAC93C4BC78704955B64F6F32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:20.144{414E8EDF-B0DB-6218-8600-000000003702}49563240C:\Windows\Explorer.EXE{414E8EDF-C88D-6218-AA03-000000003702}4564C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:20.144{414E8EDF-B0DB-6218-8600-000000003702}49563240C:\Windows\Explorer.EXE{414E8EDF-C88D-6218-AA03-000000003702}4564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:20.144{414E8EDF-B0DB-6218-8600-000000003702}49563240C:\Windows\Explorer.EXE{414E8EDF-C88D-6218-AA03-000000003702}4564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:20.144{414E8EDF-B0DB-6218-8600-000000003702}49564104C:\Windows\Explorer.EXE{414E8EDF-C88D-6218-AA03-000000003702}4564C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:20.144{414E8EDF-B0DB-6218-8600-000000003702}49564104C:\Windows\Explorer.EXE{414E8EDF-C88D-6218-AA03-000000003702}4564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:20.144{414E8EDF-B0DB-6218-8600-000000003702}49564104C:\Windows\Explorer.EXE{414E8EDF-C88D-6218-AA03-000000003702}4564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:20.144{414E8EDF-B0DB-6218-8600-000000003702}49564104C:\Windows\Explorer.EXE{414E8EDF-C88D-6218-AA03-000000003702}4564C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000135167Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:21.968{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7249A700B56560D494632E6E58B8646F,SHA256=545373A4872567E9E69ED76CB1583150C487198A91EB8FECE8358770247788F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:21.544{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13ACB0557CE449911710835206620770,SHA256=673E5C408CA4B38F633295B15FA9F7CBA91FFD71C5A33FC06CCAB4C667338F01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:21.405{414E8EDF-B0BE-6218-2400-000000003702}2716NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0cad71091a725587e\channels\health\respondent-20220225103441-105MD5=E961008872A85D9E7B2EDCDB9076BE5A,SHA256=4C7B4263F3F8553ACCFCCC53A0FA56737D447810FFCB4A43A3BA8D688A9FDFED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135168Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:22.984{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AE24C80821DE1D9AE78A78E2587D96D,SHA256=3C0BDD824E416A4FCAC8D3761B1F3016EC6642A01318F0103F44C69459A54663,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:22.583{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22B12BE70BDC30AC78C1400140E6F74C,SHA256=0DF8FC82AFFE8AFDBFDEB60BC68280CF75F73E799A1676200E1ACC490E854739,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:22.409{414E8EDF-B0BE-6218-2400-000000003702}2716NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0cad71091a725587e\channels\health\surveyor-20220225103439-106MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:23.585{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72A400070CA6F8E09FE21B01AFB003CD,SHA256=797E9C2448086E99C9733EB0F7B3B5D6C3B4F5C15783D95BB297509F2F189B44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:24.585{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98AD4AA5D4B4BFFDD8ABA23D21DC648C,SHA256=75C698BA29F48E39EC0FEE78DA5538D2C6D4E7C5A895947E5A700BD01327EC09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135169Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:24.015{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C959DB081ACE1FDA8C598D3A3A17CF8F,SHA256=720E255E37F145C9BEC328FCDBA79EA5225D2910945B4613E44DE1838333C155,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:22.546{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52674-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000190062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:25.601{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E96FCC891EE5BFA5E42AC5F10CC1E89,SHA256=E702CCD334AF9AB479FA06BD5DDDEA7C54F09C59AD09C833F0D4CF83420A381C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135171Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:23.577{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50969-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135170Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:25.062{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65A309EA72FE1DDFD90BCEE40F37E04A,SHA256=8524E5C6793866315146F62A6BA3CD33F7751266A854896F328679E3EFE292D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:25.507{414E8EDF-B0B1-6218-1100-000000003702}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E37A98C4E83CA40ABDF32D99BD2C0F38,SHA256=6920C2C0CF774A1B30E290A5AEA997BD663430489E2B0BB82CD6F78C9AB31F61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:26.648{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9424562CFF7EFBE7A8BAE3CD8AE3F263,SHA256=DE3A2014865ACCB781A6A554C29F9F2DAA5815DDF06542B1C36E35772C88294B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135173Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:26.812{6AAC6DF5-B0B1-6218-1300-000000003802}108NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1B241C7808450ECC1EE73C73E933185A,SHA256=AB0A56081DDFA33355D0964EA92DB7108F47318A59F604E6CAD004D9C9D3F119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135172Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:26.093{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BA6A358DE25702A7379B051B5CF3A1B,SHA256=B2A4C6914D0473C2BB3884703C69DBF13C6D432EF558EF15B50364FFD04A1B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:27.648{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7120BA933CA704CC35D8FFEAC82624B9,SHA256=8825DA66625EE6B3F3F4489CE608D91C0E9E53E647FCF48082FF08970C408EED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135174Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:27.124{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56B652588A061C0E1509BE6CBA7B1F6F,SHA256=8466951CF92AAC9B66D4A6C3DCCB26AD46211B54C4BA89F3931D4EE294601CF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:28.882{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C5DE405B70F94D442ACD3F3877863F6,SHA256=17168B9AC81A2A0C67AC992839F391032F2E53D6F9849FA14154025C1E6E47D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135175Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:28.155{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D3F7F97CC5671A156B295C951F57C4A,SHA256=B8865961643A1D731A42B3A933CBF5A0C9B3494307CD65E3F81A83ACD9EA2529,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:29.898{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35A170D53575533B79C6145553DFFCE0,SHA256=D3BDD3767B47F53E35DA08B6D337ACECD316930F2DADCE33FDB1E1AA519207ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135176Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:29.187{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5AAAAC112FDF341E004F5F59B6DAF62,SHA256=B85BA91C4A7D9B8863A1F6F0541D426474B46B48CA6301C4ABFF2521EB6231AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:27.728{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52675-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000190068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:30.914{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2DEFF6B17C0B4893BA3201F17FF714C,SHA256=F9F47821351F221907581F51FAF308F0E9B4018BC1A727ED7E0733574EBB8440,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135178Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:30.202{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=433A5D9A1D64FBA35CC49939695F63CF,SHA256=1D25C498628C1E727D0D3BD29781E486A67806F413D910362B47A45C1FB04C66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135177Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:30.187{6AAC6DF5-B0B2-6218-2200-000000003802}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4A396A40DE4AD844AFDFD6BFEE34209D,SHA256=ABC582D2644B8C5C1CF17206963A01B55D9A40BBB1979B03D8F2D216AA803ABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:31.961{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=710695E859BA972C5F6CBE7D65FE3FDB,SHA256=570C63EE1BACE151E97F98F9F7A8E572A027349EC55DA3C763B56BDAE5967FFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135181Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:29.671{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50971-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000135180Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:29.577{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50970-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135179Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:31.218{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18743DF3361CCA256678E12BA5F045EC,SHA256=E546BB7F583B9D05A9F9F9B374E1E09F8F8AA22E6574BEC962E1F30A5A20FDC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:32.992{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B80FFF8D9D2093F0D01F9DCA270662FE,SHA256=AD2148829AAB678AEC10E9649546645DB9DD2D1D7B5A94B4BB3BD40A65834465,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135182Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:32.218{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=623DE676E1317437E7C55F93C30C8AC5,SHA256=F434D835C9262ECEE3A2C9CFFACDEEBF63FC99FA448A2A889F904BB2A00591BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135183Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:33.234{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5AFF1AEC7A07F31B7E28A0B53729D5D,SHA256=E92AA2C50F323A458FA01E2574B5140AE36ACE1CE309B118C6C5A69B7763C8B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135184Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:34.249{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF5F4AB58099B40A74CB8C9D682AEE00,SHA256=6652E22718CD35E26F32D35E0993C7F29F6482D32EF631F542C7FE450D0E7339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:34.007{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A8678D78F89060B1422564968453A8F,SHA256=1263CAEDA2D736E179A57C2FAF356229C4198D75F005488B6E52CDC77E27C622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135185Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:35.265{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E69E2FFFA1D9C7145E96812CD508943,SHA256=115E14D558E3C0E910419FFDBA757B103E6C6060DC59A30F996521EB90C6393F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:33.682{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52676-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000190072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:35.008{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1A34686526B94034792286E0A4D7FE0,SHA256=52E41C28171A3300B7DE9FF25F31D0FD19BA294789581B31D43E774C678CF545,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135186Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:36.280{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1DE522A41FFC400006C79D6829B6DED,SHA256=1973800AEFD897CD0CD0A92A8050670B8848087C7DB21248FDAC38E34F1F74FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:36.023{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C7CD5119A557713334FC07D951704D5,SHA256=8ED2714C7A5F36A6DE83FDDBCEA6F917F4FE3604956C4110D31B4A00C46F2404,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135188Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:35.624{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50972-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135187Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:37.280{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0B46750583A82C3810C740657E6CE20,SHA256=D1D00CFA7A994DFEEBC3DC31C6DBD675284528DDB798BA832B71E77B791CA852,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:37.039{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BEA92425B82D0BD5F073962B5B56C04,SHA256=4EACCF2A4F06B2025F53BEBE1DC3ADB2325C1A6125BF8E4F2C9B9160B716AFC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135189Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:38.296{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC3E4BDB5CF3223224BE799DF3C450B9,SHA256=060CCE793D81CB1A199D03A25F2A7196E371DE1F1225CAE2CE081766FB6D7D24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:38.570{414E8EDF-B0BE-6218-2900-000000003702}2792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4A396A40DE4AD844AFDFD6BFEE34209D,SHA256=ABC582D2644B8C5C1CF17206963A01B55D9A40BBB1979B03D8F2D216AA803ABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:38.039{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57509AB51F518F2EB72601E43E60406A,SHA256=01A1756CA067ACEDE73718FE5FB7F78DB58E6E68358847AAFB9E7E63FD431CA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135190Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:39.312{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F78E1C9FB49AE3320054985E0EFA31CA,SHA256=F961F96EE4697F37C42DD306BEEEA25662CCC7C698CEE25885FD7800864E999A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:39.132{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6AA3A9308B3831AF1009803B2C64E63,SHA256=20F3EC6BF91C3B1404BBD92C319913824288BB81C9C8822737E00A661F766B9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135204Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:40.702{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CA4C-6218-9003-000000003802}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135203Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:40.702{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135202Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:40.702{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135201Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:40.702{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135200Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:40.702{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135199Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:40.702{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135198Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:40.702{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135197Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:40.702{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135196Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:40.702{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135195Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:40.702{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135194Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:40.702{6AAC6DF5-B0AF-6218-0500-000000003802}424540C:\Windows\system32\csrss.exe{6AAC6DF5-CA4C-6218-9003-000000003802}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000135193Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:40.702{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CA4C-6218-9003-000000003802}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000135192Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:40.703{6AAC6DF5-CA4C-6218-9003-000000003802}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000135191Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:40.327{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2FBA5A0283B12AF630AFC094D3EF54D,SHA256=93270AAEB8E01D4209ED54050EFEB541D5693A20A162E5EC99830456D5143F2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:40.148{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=338AC99DE2F88272ADBD024BFF466D59,SHA256=94A9BABC7D7F97682DDAD79A7FB1BEBF5236461F11D016DDEF896C850606583C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135234Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:41.749{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CA4D-6218-9203-000000003802}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135233Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:41.749{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135232Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:41.749{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135231Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:41.749{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135230Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:41.749{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135229Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:41.749{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135228Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:41.749{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135227Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:41.749{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135226Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:41.749{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135225Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:41.749{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135224Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:41.749{6AAC6DF5-B0AF-6218-0500-000000003802}424540C:\Windows\system32\csrss.exe{6AAC6DF5-CA4D-6218-9203-000000003802}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000135223Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:41.749{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CA4D-6218-9203-000000003802}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000135222Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:41.750{6AAC6DF5-CA4D-6218-9203-000000003802}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000135221Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:41.718{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4642A4E4D4BDC205832BD692C3F8CBDF,SHA256=5AB352CE2E715986D4A0A3BD2C1C732AA52A6D20ED6DF986CAF24909F5BB63E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135220Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:41.718{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56A8F5A8D6B8A2AEE1D8DB0778D23E13,SHA256=D65373A9E5C90EFA4E3F0350EB4C303678886BC70528B2057081E361CFFFC590,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135219Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:41.468{6AAC6DF5-CA4D-6218-9103-000000003802}31843356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000135218Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:41.437{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5090AEDDD3E1AFF5002F484A4F03F238,SHA256=BB17BACD6C7CAB8692378B182192C94013FA5CD57337E0AC1875FE68AE8D2963,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:39.666{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52678-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000190081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:39.057{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52677-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000190080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:41.195{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0B88BBA7F2F4AA48F2D4EF053784FF6,SHA256=B77550EC955740655A38DDB714299F1FE1C967F84949B5964737C76B2DD6857A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135217Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:41.249{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CA4D-6218-9103-000000003802}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135216Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:41.249{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135215Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:41.249{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135214Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:41.249{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135213Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:41.249{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135212Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:41.249{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135211Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:41.249{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135210Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:41.249{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135209Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:41.249{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135208Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:41.249{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135207Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:41.249{6AAC6DF5-B0AF-6218-0500-000000003802}424440C:\Windows\system32\csrss.exe{6AAC6DF5-CA4D-6218-9103-000000003802}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000135206Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:41.249{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CA4D-6218-9103-000000003802}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000135205Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:41.250{6AAC6DF5-CA4D-6218-9103-000000003802}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000135236Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:42.796{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4642A4E4D4BDC205832BD692C3F8CBDF,SHA256=5AB352CE2E715986D4A0A3BD2C1C732AA52A6D20ED6DF986CAF24909F5BB63E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135235Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:42.577{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEA82E16052D1838AE19CDBCC0473704,SHA256=0218EC13E155F412B554C0F9785537D01C7DCD30662D17A55D083ABC1C16EB15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:42.211{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFE8A2E7D9CDD3A68520B0D74DE8D359,SHA256=97AB8A017797D2F6021A00935D82C5A82710350F8E12E5D9C0CC9C2F11F25648,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135237Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:43.609{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C6FAD75E9FC9CAB68B95324A86F4EDB,SHA256=D95EA945C6DA72A236EA750779371896A68C3CC94AD8CED37D02CF74E0F5ECBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:43.226{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6666940C3ABED3375570CB1B7EF647FA,SHA256=15E6DE6220499E346B7A907CA46EAC5D1B94BF708743566C21B7E48A6444E020,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135253Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:44.937{6AAC6DF5-CA50-6218-9303-000000003802}34163728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135252Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:44.702{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CA50-6218-9303-000000003802}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135251Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:44.702{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135250Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:44.702{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135249Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:44.702{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135248Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:44.702{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135247Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:44.702{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135246Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:44.702{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135245Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:44.702{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135244Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:44.702{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135243Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:44.702{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135242Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:44.702{6AAC6DF5-B0AF-6218-0500-000000003802}4241012C:\Windows\system32\csrss.exe{6AAC6DF5-CA50-6218-9303-000000003802}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000135241Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:44.702{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CA50-6218-9303-000000003802}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000135240Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:44.703{6AAC6DF5-CA50-6218-9303-000000003802}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000135239Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:44.624{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=480DCCB947E9323BEC7B178A5B26676D,SHA256=F334C4EEE1A3344BCAC1882B1FABE6E5D9EA7A4B04310DCEF703AB7583D80542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:44.257{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23AAA0A79AC1E90205E579576D788083,SHA256=1565A68FF79DDD747A413A3230EE7EFBC69BEF6ED12DAAC5B1E2AD4ECB9EDF35,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135238Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:41.655{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50973-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135269Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:45.827{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B99032B0317616CD4859B6B96FD7C177,SHA256=65F825DBBA1328D47EBA264EE12F2F77C51BDF485F034FCD07E7CD30316C5ABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135268Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:45.827{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3006DE1A937BF4E3600044D94F27BE7,SHA256=CB4DE8E32BF100DC2A50BAB463620CB21D92DF918460E700E87D47CB1E5AC65B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:45.273{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A9F6E473465A8B0809E72B8FE3B1A04,SHA256=BE54E47E631845E05CF534C63D2ED5C561B29C8AFE03DFE0D2E6A6EF99600D7B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135267Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:45.437{6AAC6DF5-CA51-6218-9403-000000003802}32163412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135266Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:45.218{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CA51-6218-9403-000000003802}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135265Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:45.218{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135264Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:45.218{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135263Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:45.218{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135262Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:45.218{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135261Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:45.218{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135260Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:45.218{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135259Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:45.218{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135258Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:45.218{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135257Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:45.218{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135256Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:45.218{6AAC6DF5-B0AF-6218-0500-000000003802}424440C:\Windows\system32\csrss.exe{6AAC6DF5-CA51-6218-9403-000000003802}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000135255Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:45.218{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CA51-6218-9403-000000003802}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000135254Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:45.219{6AAC6DF5-CA51-6218-9403-000000003802}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000190087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:46.492{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CAB0A8E744B16639D46B1E4FB813DA6,SHA256=1AFED9293D1D24CC3923BB3F0C7DD6DBB77D6B8BA45EF0766C7974E563988081,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135282Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:46.921{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CA52-6218-9503-000000003802}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135281Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:46.921{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135280Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:46.921{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135279Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:46.921{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135278Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:46.921{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135277Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:46.921{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135276Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:46.921{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135275Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:46.921{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135274Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:46.921{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135273Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:46.921{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135272Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:46.921{6AAC6DF5-B0AF-6218-0500-000000003802}424540C:\Windows\system32\csrss.exe{6AAC6DF5-CA52-6218-9503-000000003802}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000135271Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:46.921{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CA52-6218-9503-000000003802}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000135270Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:46.922{6AAC6DF5-CA52-6218-9503-000000003802}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000190089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:45.681{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52679-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000190088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:47.507{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=984AD68F3699EF62B1C4C2EE8F408670,SHA256=B81BE69362519B1D9881797077A95929C1068B3245AA06BFF272FCFE878A6BEA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135284Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:47.155{6AAC6DF5-CA52-6218-9503-000000003802}30642924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000135283Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:47.077{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AF3CE96CD78C83D95C825A0A9D55D70,SHA256=2A76E06AC1CB7A6F61C580CC2C239C3556DF034B4AC2703F77B0C508B773C654,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:48.523{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5731D1D33B4C5C5039EDE9708C7214A,SHA256=5FEF2EE116CA6AFD7903FC84EE565AA8288ED0FCDCFB3DFCB7815829701AD9B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135299Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:48.155{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B9AF9CB1B90A2693D75C93CEAF92112,SHA256=945BC74C7498AD74C594C95D7348B97B5EC28E8E06DAEE53758EF7B35341807F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135298Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:48.109{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CA54-6218-9603-000000003802}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135297Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:48.109{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135296Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:48.109{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135295Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:48.109{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135294Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:48.109{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135293Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:48.109{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135292Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:48.109{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135291Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:48.109{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135290Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:48.109{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135289Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:48.109{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135288Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:48.109{6AAC6DF5-B0AF-6218-0500-000000003802}424540C:\Windows\system32\csrss.exe{6AAC6DF5-CA54-6218-9603-000000003802}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000135287Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:48.109{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CA54-6218-9603-000000003802}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000135286Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:48.109{6AAC6DF5-CA54-6218-9603-000000003802}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000135285Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:48.093{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FD121C722D81B9AE2968260A11A9B77,SHA256=95DBF12B50025DEE202DA890E991C1F0A40216AE10EF8255DE836D8F41855363,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:49.539{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D40712D24D2804B13A8D6DD782F79F6,SHA256=A9E6F9312E20B383D767C656403CC8C9F7EB727B3853A0867729D0C5284D0613,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135301Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:46.702{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50974-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135300Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:49.140{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B468F526E201DC320152AE459DB256AB,SHA256=63E724AB622E6918425C4B865F9FB5ADD39A4D946528CCCB9421F74F226B567F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:50.554{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37BD574670CE2A94C6E961F05946BA2E,SHA256=AFC0E8C863E7D23AE1D3E903B97C700ADAFED505DAB4261FBA0A9EBDFA880F9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135302Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:50.140{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F79C46E89EF3B592CF5643217517D8E,SHA256=27D84DE4095E34E38CF3F529967EED5CD49A9CC931D6CD06D5F8F6B68A4B5617,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:50.367{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CA56-6218-DF03-000000003702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:50.367{414E8EDF-B0B0-6218-0C00-000000003702}8402676C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:50.367{414E8EDF-B0B0-6218-0C00-000000003702}8402676C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:50.367{414E8EDF-B0B0-6218-0C00-000000003702}8402676C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:50.367{414E8EDF-B0B0-6218-0C00-000000003702}8402676C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:50.367{414E8EDF-B0AE-6218-0500-000000003702}416532C:\Windows\system32\csrss.exe{414E8EDF-CA56-6218-DF03-000000003702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:50.367{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CA56-6218-DF03-000000003702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:50.368{414E8EDF-CA56-6218-DF03-000000003702}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000190092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:50.320{414E8EDF-C88D-6218-AA03-000000003702}4564ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=ED1702CB1AE12493BB8104D5CC6642D1,SHA256=F09890426A6BEC9D73B996EC7781E51529B975F41E717F0AAE8E362116FB4137,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:51.867{414E8EDF-CA57-6218-E103-000000003702}53006020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000190121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:51.586{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C34C6FDEFBD97B14D955D3E47CABB20C,SHA256=1981ACE27B3681BC1DE4501B3F20B8D12A1FE5D2E409266FD53BBB146F47F190,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135303Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:51.171{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE0797D5605B3BEFAAAB70FB6649195D,SHA256=4734310612BF832152DCCDE928C0A1F754EEC56521F5A95B4311B912372F122C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:51.554{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CA57-6218-E103-000000003702}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:51.554{414E8EDF-B0B0-6218-0C00-000000003702}8402676C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:51.554{414E8EDF-B0B0-6218-0C00-000000003702}8402676C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:51.554{414E8EDF-B0B0-6218-0C00-000000003702}8402676C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:51.554{414E8EDF-B0B0-6218-0C00-000000003702}8402676C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:51.554{414E8EDF-B0AE-6218-0500-000000003702}416532C:\Windows\system32\csrss.exe{414E8EDF-CA57-6218-E103-000000003702}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:51.554{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CA57-6218-E103-000000003702}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:51.555{414E8EDF-CA57-6218-E103-000000003702}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000190112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:51.398{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3FA0E6DAE6E9C0F5051C743A35EA8CF,SHA256=9B3B088515A6E270F1186F62996E3F2B81900914353B3E5CD6F49D9E2B694A8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:51.398{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=756E1FA116CCCB3B9C95D683DDF4094B,SHA256=4B19D48651E80F836D3160E5C2F9B2F73D6864A1EFDF07A4DBFE9F00D6E5082B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:50.681{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52680-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000190109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:51.039{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CA57-6218-E003-000000003702}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:51.039{414E8EDF-B0AE-6218-0500-000000003702}416372C:\Windows\system32\csrss.exe{414E8EDF-CA57-6218-E003-000000003702}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:51.039{414E8EDF-B0B0-6218-0C00-000000003702}8402676C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:51.039{414E8EDF-B0B0-6218-0C00-000000003702}8402676C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:51.039{414E8EDF-B0B0-6218-0C00-000000003702}8402676C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:51.039{414E8EDF-B0B0-6218-0C00-000000003702}8402676C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:51.039{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CA57-6218-E003-000000003702}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:51.040{414E8EDF-CA57-6218-E003-000000003702}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000190143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:52.945{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CA58-6218-E303-000000003702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:52.945{414E8EDF-B0B0-6218-0C00-000000003702}8402676C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:52.945{414E8EDF-B0B0-6218-0C00-000000003702}8402676C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:52.945{414E8EDF-B0B0-6218-0C00-000000003702}8402676C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:52.945{414E8EDF-B0B0-6218-0C00-000000003702}8402676C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:52.945{414E8EDF-B0AE-6218-0500-000000003702}4165324C:\Windows\system32\csrss.exe{414E8EDF-CA58-6218-E303-000000003702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:52.945{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CA58-6218-E303-000000003702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:52.947{414E8EDF-CA58-6218-E303-000000003702}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000190135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:52.664{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9EA8416DD456DDA67D85DE5ED965E6C,SHA256=6DB7C69E219CCBBEB1332AF7B49CA3888B03A529FC57539566D5E3BBAE81260C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:52.664{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3FA0E6DAE6E9C0F5051C743A35EA8CF,SHA256=9B3B088515A6E270F1186F62996E3F2B81900914353B3E5CD6F49D9E2B694A8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135304Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:52.187{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6AD79BA575059209756B6F316647D7D,SHA256=3E5D926684DE1DB48C7BBF1776937C65B8383CF8A6C011A92C28C8A6C1671107,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:52.492{414E8EDF-C88D-6218-AA03-000000003702}4564ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2022-02-25_122350MD5=3EBB95C75291CE1E34626D623BC50C45,SHA256=29CB4E2103BF2F8C363EC41EC2976E0B7909383602030D17AE8E66FC8CEB6326,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:52.476{414E8EDF-C88D-6218-AA03-000000003702}4564ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=97CD5E1AE569E9BA4765A70AE25662F8,SHA256=02D6AFEA425D08F270366334245A9705F9D6CCFCBDDF7DCC93F8448D07238E31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:52.258{414E8EDF-CA58-6218-E203-000000003702}5816212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:52.054{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CA58-6218-E203-000000003702}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:52.054{414E8EDF-B0B0-6218-0C00-000000003702}8402676C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:52.054{414E8EDF-B0B0-6218-0C00-000000003702}8402676C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:52.054{414E8EDF-B0B0-6218-0C00-000000003702}8402676C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:52.054{414E8EDF-B0B0-6218-0C00-000000003702}8402676C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:52.054{414E8EDF-B0AE-6218-0500-000000003702}4165324C:\Windows\system32\csrss.exe{414E8EDF-CA58-6218-E203-000000003702}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:52.054{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CA58-6218-E203-000000003702}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:52.055{414E8EDF-CA58-6218-E203-000000003702}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000190156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:53.976{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BF607062EAD031E753175F5B9321949,SHA256=9E4617ADB3FD2F444F03B3A4236C631A78D3E2A82A43014215DF4F5EE7FC93CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:53.898{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAFA2B2DAD2442CB1E7FC9B270575867,SHA256=4743816567BA039D683DF64BBBD0946E33ACAFCBCA493E39C86D4812E2E991C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135305Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:53.202{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=466C12C375C035AFD673538F9E821647,SHA256=E40CA264C0703006D7A79EC29254FCC0F5AEADCD8FC10B33F8083BAA3E9CCDE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:53.836{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CA59-6218-E403-000000003702}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:53.836{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:53.836{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:53.836{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:53.836{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:53.836{414E8EDF-B0AE-6218-0500-000000003702}416432C:\Windows\system32\csrss.exe{414E8EDF-CA59-6218-E403-000000003702}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:53.836{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CA59-6218-E403-000000003702}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:53.837{414E8EDF-CA59-6218-E403-000000003702}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000190146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:52.885{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local52681-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local389ldap 354300x8000000000000000190145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:52.885{414E8EDF-B0BE-6218-2B00-000000003702}2820C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local52681-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local389ldap 10341000x8000000000000000190144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:53.398{414E8EDF-CA58-6218-E303-000000003702}47284732C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000190158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:54.898{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9D87B7CB9E4961C9DE81FD8826696F5,SHA256=86E69AB83138765A75DCFB7719CDE8171BCB32D06DDAC559DAF0A2C8CD67F979,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135307Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:52.577{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50975-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135306Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:54.234{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E56E42FA303BF5296BDB7095B912B71,SHA256=DEC8B5DAE75E4BBC35490EBED8C1FA0F3D5DE4E3F88E0FDD7390191B4A6DBCEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:54.101{414E8EDF-CA59-6218-E403-000000003702}50082836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000135308Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:55.265{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4040DF62006CF42E057D1651F8B0CF9,SHA256=757B7376EC8DD7680BCB0400A80050896D3197813812DA6B0508F3ADC1DB33FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:56.836{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CA5C-6218-E503-000000003702}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:56.836{414E8EDF-B0AE-6218-0500-000000003702}416372C:\Windows\system32\csrss.exe{414E8EDF-CA5C-6218-E503-000000003702}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:56.836{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:56.836{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:56.836{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:56.836{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:56.836{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CA5C-6218-E503-000000003702}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:56.837{414E8EDF-CA5C-6218-E503-000000003702}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000190159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:56.117{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C19B4DB772DC59B3F8E188C8E0925E0,SHA256=FEDE2514E52B8AD223257E1E34CCA83AD31C569AF699A06300E600C3E483A69A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135309Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:56.296{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22F358A562C8F1E7211E788E2A258C0B,SHA256=B922F58031AB2CEB862EE00A1058DEA197D68DB066AA4F6CABCE4AC03A5E6C73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135310Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:57.343{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF6B195F356802945EB921410290AF2C,SHA256=C5207B4CD27B881BF940257F667C092A72DF2869D9030ADE788BD1075A8E57F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:57.962{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49A8BE675AC79780FA4060D12DBECC04,SHA256=19D50AEC3AE5973C0474B626ACA4385A62C5601F84797A2AEF654D9D8AF87ECF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:56.637{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52682-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000190168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:57.164{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5BE8C7BD3C071310E44C69D8CFC5268,SHA256=1251F3AD243560DF2A464D707D29A4F98CA38680F44236BD705D0CBFF597C8FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135311Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:58.374{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72A98BF8791E618756DE50C4BA2E9434,SHA256=2CB80002EABA91EAF99B0C471722401B9FBF55320F8851B147F4F5F1D21CF1A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:58.179{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA72DB855034D25190BF656E4CFA1F1E,SHA256=466D9E1048A032BA829743899A7E8D8FE76E6A7EAD320F5FA453BF99C3F478D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135312Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:59.421{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4681A5B491554BD4B5B4F1514527896D,SHA256=E6E2E05B93F7C0BF29845504B1A45677B7B457AC86663C19DDC21FA85407AB4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:23:59.179{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B222AF74C8CECE8B1AC9B728161FC2AD,SHA256=CC211C88C1299B067A59F5DB9ED4F2F4AD8BD36EED5E5428CF2C2C64D892B247,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135314Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:23:58.608{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50976-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135313Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:00.437{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF3F975DAA64F74193B1B5251435F890,SHA256=0EFA9BD294BEA91231E27C1606121D0681DE550FB29385254E5FE62670704D7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:00.367{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95C00BC071C944D68179AFF7E2FB5048,SHA256=2E08973766698776AE6760767D70A24E9ADCD43ED87F776C8DC06081F5CA51F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:01.414{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED1A2E5A40E32BF82FCD74D1ECD07B42,SHA256=B0469451488EAF8321E6369E78BDAD03C7C94B3E2D9DBD964E9F5F4C4E97A6F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135315Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:01.452{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD673AC6BA8792D87F140B7E245F179F,SHA256=A69849F469F84CF0544E3E8509916AC2F363B5B6F3EBD3E8727FA211D41F84A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:02.430{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8482D2527DC1ECF7181167F677A2B052,SHA256=7FFAA70A1EEE9AA818B9C6B39803FA4DCCD32226DB0140765B87716ADDE7E8DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135316Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:02.468{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCBC802EF457DCC2D0B3C0628CDF6431,SHA256=2D7593B35D9633C1009EC73E5EC2C4ECFE3C9537205FA6663727E8CD74CD00AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135317Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:03.530{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EB807B8854718AD463483F69B852A34,SHA256=631E54965226073597DAC7A3DFD887A1822BCE1DD8A0F8FE699E0C890A505603,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:02.572{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52683-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000190177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:03.445{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F736AB86DF7CE98EA3D6CBE0AE5CDFCC,SHA256=8FDD5E544E8422AFD2C9AFBB135C6FA1BF8A9B1D99184B5DF7410A33B8A6AB72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:03.221{414E8EDF-B0DB-6218-8100-000000003702}46444816C:\Windows\system32\taskhostw.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000135318Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:04.530{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=132A3C8177F6B1D3FB4F4372EB090E02,SHA256=CB84257E5D686C5BF3565CA59E40D8AC3CAF09777ADCA42E552D9E79F00D3584,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:04.461{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C17BD1732EC9E9BEC7698121F224E304,SHA256=95276BBE3D177C0232363A3220F04E468B528AB0B8F66C39518D3D69AEBE2BD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:05.461{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96158A43269DE0A75EC1150F88682F71,SHA256=B2564DB8DA38906DCB6C097F09AAC60441C436514E5DAD68E65F1C29BC34B334,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135320Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:03.655{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50977-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135319Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:05.546{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BE57561A626FE40D2A50303056C5F11,SHA256=41BE3A405717E3A06B604628057A56F8F795F7B91E8A0B66A564BE3EDC9EDBA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:06.836{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B39E09F591B141C154B4242A7536464,SHA256=4128C8F303465A03122EDD6B4D5DEC690414717D9114308442481D3D3B2F6A20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135321Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:06.608{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F10491F9301CDE85D261048E5322BD08,SHA256=6EF0C7E02985A59E7D210621D2312DCB3E3D8AD9968BCFFE350EEC1D82FE516B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:06.055{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:06.055{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:06.055{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:06.055{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:06.055{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:06.055{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:06.055{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:06.055{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:06.055{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:06.055{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8A00-000000003702}4764C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:06.055{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8A00-000000003702}4764C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:06.055{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8A00-000000003702}4764C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:06.055{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:06.055{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:06.055{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:06.055{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:06.055{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:06.055{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:06.055{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:06.055{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:06.055{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:06.055{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:06.055{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:06.055{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:06.055{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:06.055{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:06.055{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:06.055{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:06.055{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:06.055{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000190212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:07.851{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B8370FB9F9E62836A1396E065E3DE99,SHA256=82204D728A93C6E9239BABFD292E6FD1BCF969E45A257EFBF24DE74C95CFC74E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135322Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:07.640{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84D1CFD81012D59336BD44021D6E09F8,SHA256=E700B49DDB68A823D13B364DFCC22B09FA976FBE3AEC1BF9EF02F4C3925175B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:08.867{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B849A2B2CCE4BD83CCC3C7D19753EE4,SHA256=70C59771E159719F36243D6C759B8AE96EAFC742CB16DDF848894F52797316DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135323Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:08.655{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=655CAF5EF984532B499A6FBC129F9531,SHA256=813237B23B128C229F41E7B3FE07DE5CA8CEF152DCFF391AFDBE878A04D55964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:09.899{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20F96D2FD757EDBECA2163AE11ED585D,SHA256=CC509DA2D6C634161AD71F23BCA451E120BBCB3EDB5DA406298E401A93A17AAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135324Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:09.671{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13C372AA8E2207A2931FEF918F4042A0,SHA256=4225272BD6CA7F7296335CC5025AFFDC0BFAFB369658AF5DFA88936DAE205654,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:07.572{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52684-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000190216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:10.961{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8C9E908DB2B659A3614F0219A66FA53,SHA256=39D95DF077D2BB510207A3F64A099511BDD578E0AB83FDA32321E9F3065FC1E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135325Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:10.671{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7223F0D62A3FE6AB8F2685644D3B809B,SHA256=F64645E8C1D04C87588EF71027E44A80BCA6E82E4D6A63E8F1E5CD36528CAB1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:11.992{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE4413F1941B512A6C73E9FB79EFF74E,SHA256=E237A3E116D1971F1D737C67EE398474AD7F916172E639978896AE9C5F82A65C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135327Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:11.672{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D97BE1C5A697FDB0EC4383CB2FD3BA82,SHA256=F842C842B841BCC37F6F94498C4FF626DCFEEF6265FB6B07A096041C2AB729D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135326Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:08.748{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50978-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135329Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:12.688{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDA2742F6E244CD91DF78ABE2D9B3743,SHA256=34A67C1E665B6BFFB5F8CE29779794526698577A359AB24FB60B7283B6AFE840,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135328Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:12.128{6AAC6DF5-B0B2-6218-1D00-000000003802}1952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d7ccee276d30a4b6\channels\health\respondent-20220225103429-106MD5=FBD42F5F8AA0DC0DD6067820063FF10B,SHA256=AAA41009555F09EFB0ED817562D7125DD50A33AE671816E82835424EE5CAE232,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135331Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:13.689{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F7825B9830778743E6EA1372E4163FC,SHA256=BF96B5B2C7E3520F304CC48A5E30235CCAFE97BBA0E5CE960A0781389653947B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:13.008{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56BD6494824720433BF40C9CE004A1A2,SHA256=98285E0EEBAFC9951526958AB5EC8B41B77FAC337505A16CD5746BB58100E7BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135330Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:13.142{6AAC6DF5-B0B2-6218-1D00-000000003802}1952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d7ccee276d30a4b6\channels\health\surveyor-20220225103427-107MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135332Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:14.689{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F4EA517950CA7A6EE3132490B174703,SHA256=33B8BA5F1B993A4112FB04DF39C360E682734596C6082748B5178DE99AB690AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:13.527{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52685-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000190219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:14.164{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3C16F1EEC104C6B323B55D74C6D9923,SHA256=EDCCB4D2C0DA51FE0A4889A7BD252345E572BB1F2844390B4A72899E3CCEDDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135333Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:15.705{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5D77981422E556022B172E3015AD4FE,SHA256=14C0B4C0DCF6B1D0BA962A0906DD7BA869422C07561738D373233FF758D95A92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:15.305{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D866A77E13FF44FBE8A9AC8DAC77ECBF,SHA256=17F82822C36C3E0988BD76DCC5F4E9A9C078A6043378C436D08600134E828757,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135334Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:16.720{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BB43403CAC551725C1AB47E179DDB07,SHA256=D00F14D9294BD4E64988ABDFE055CD3A30AC58C5E380D44E672204A3506689A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:16.336{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F73A683A4485740E8912BC7521EE7287,SHA256=75169A02D4488CEE87D49D6C7B5F5EA109DBF651CBA6FBB3B68F4CD0D61D8321,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135336Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:17.736{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DF52EEDF75674C2EB4ADEEA77741B6E,SHA256=FE7A4A2A7AB7CA184380F0B05BD39F3F6A56A7796840CCD7B92120084AAA4FED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:17.336{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F308F2A7F7BD38127353E47DCA760D5,SHA256=B7BEE9C27867613C8CE5EA0219C2958100A0FE5B8A196011D019BD2797A2F4E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135335Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:14.688{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50979-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135337Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:18.751{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D093C307A30DE184A05E6718EBD18086,SHA256=EC6A2DA30DE7A9079D7D0959218E283F618DBAA18E003129C4D2E40D34B2AD38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:18.352{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E08C2746A1941223A710A0C36B2FC822,SHA256=D4A1D46A07F982EE39CD0F2CDDCF7D742640C99D18D1419651AF9E70013D3D87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135338Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:19.751{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=607B8ECFEF6F36B55145B3C9ECC5FB3A,SHA256=9CB61A802F6E534806BC6E419550F36B8F2FAC6DA9849DE085EF4C324F9FA1D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:19.367{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E18BE858AA85033904CF52D21E676FD,SHA256=23E6204C0D746FDE59E3635AAA47251E06D9E506A0064266EB039B0EAE5A00DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135339Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:20.767{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48ED26926E5F6F7443FFFF17F142305D,SHA256=42C425405C9DE69334D157D53BF04B88D1DB9C408DB4AF472F373D766E33AC2B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:20.477{414E8EDF-B0DB-6218-8600-000000003702}49564688C:\Windows\Explorer.EXE{414E8EDF-C88D-6218-AA03-000000003702}4564C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:20.477{414E8EDF-B0DB-6218-8600-000000003702}49564688C:\Windows\Explorer.EXE{414E8EDF-C88D-6218-AA03-000000003702}4564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:20.477{414E8EDF-B0DB-6218-8600-000000003702}49564688C:\Windows\Explorer.EXE{414E8EDF-C88D-6218-AA03-000000003702}4564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:20.461{414E8EDF-B0DB-6218-8600-000000003702}49564104C:\Windows\Explorer.EXE{414E8EDF-C88D-6218-AA03-000000003702}4564C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:20.461{414E8EDF-B0DB-6218-8600-000000003702}49564104C:\Windows\Explorer.EXE{414E8EDF-C88D-6218-AA03-000000003702}4564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:20.461{414E8EDF-B0DB-6218-8600-000000003702}49564104C:\Windows\Explorer.EXE{414E8EDF-C88D-6218-AA03-000000003702}4564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:20.461{414E8EDF-B0DB-6218-8600-000000003702}49564104C:\Windows\Explorer.EXE{414E8EDF-C88D-6218-AA03-000000003702}4564C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000190227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:20.383{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D9132EE3AD0AA0ADF9C9D8552591615,SHA256=2A074D0958FBAE7F5582C856EA3E42CE3E7DC7773FECBA99E85783D9525A5A6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:18.697{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52686-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135340Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:21.783{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13FCB1367C759D4DA76350C7FDCA0B22,SHA256=C158756F2F2342344E3100B460C7869C30EE0AB00B3E0A217B72CC0849F8F8EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:21.430{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=081F7EBB399A2BEBC7117B409753F7AD,SHA256=F33C24CCCE7AF05E98779AC455496323538393DBA3D6C04AD0BA116506DD0181,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:22.917{414E8EDF-B0BE-6218-2400-000000003702}2716NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0cad71091a725587e\channels\health\respondent-20220225103441-106MD5=E961008872A85D9E7B2EDCDB9076BE5A,SHA256=4C7B4263F3F8553ACCFCCC53A0FA56737D447810FFCB4A43A3BA8D688A9FDFED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:22.462{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38331B40EA6685A39E00C22862FE26A6,SHA256=22DD95D770883E9C28D717EF08559083BBF9FD8FB557A740D2524039F7F5EBE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135342Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:22.798{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54117ECF059516356CD277E37253D483,SHA256=5A956082F3DC772C873455C17C65BFD83C7FBDF19161EB1FD7493F7843823F98,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135341Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:20.672{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50980-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000190236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:22.086{414E8EDF-C88D-6218-AA03-000000003702}4564ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=2955B62E945017E759CC73E09B280B5B,SHA256=9B5508CE399B08518614EB359D0727DDEE81A55CA682579DA54FD75961473E8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135343Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:23.814{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=436A518287503C90A76CD9126CAF235F,SHA256=250537F87B9645E4B362A4F1527B2BB5281164860B43C0F560F94B87F2D39635,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:23.926{414E8EDF-B0BE-6218-2400-000000003702}2716NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0cad71091a725587e\channels\health\surveyor-20220225103439-107MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:23.488{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E4545FB55147860813F6DBA343E1BE3,SHA256=8388C9C507CEB494D59448C425A503DEC39544CC7B17ED381D8E6A9AE012ECF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135344Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:24.830{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C119BDDFF7D5FC07BF15AA174C785FD,SHA256=881312D1041A13C84CC42C78689CC68DC798B43E8CB4678D4CC83E5376CAC044,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:24.692{414E8EDF-B0B0-6218-0D00-000000003702}9005868C:\Windows\system32\svchost.exe{414E8EDF-C90F-6218-BB03-000000003702}5760C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:24.692{414E8EDF-B0B0-6218-0D00-000000003702}9005868C:\Windows\system32\svchost.exe{414E8EDF-C90F-6218-BB03-000000003702}5760C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:24.692{414E8EDF-B0B0-6218-0D00-000000003702}9005868C:\Windows\system32\svchost.exe{414E8EDF-B0B1-6218-1600-000000003702}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000190241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:24.489{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E960D3C549522A1753E3F0111060D986,SHA256=AFAEA8ADD3771C843B3E6B2D928648A8C8724F5C307489ACD657AA6D603C31B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135345Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:25.892{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=845D1D8C697FFF2E369C376274FC43C6,SHA256=ABF7671A274FF7357AE5EA2DA5947F4B8B087AA2C14228EF992BC72FA92310C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:25.536{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34F376088D87DBAAC18298249C48BB40,SHA256=A2F59CCFCA9BDCFB3CBCDF7AEFFBD85901D50817B034366318438552DBFCF7C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:25.520{414E8EDF-B0B1-6218-1100-000000003702}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=642A387836EBDA610A013F4D77476429,SHA256=8A1371CC14FC6F05A465690687050A316E30101FEF4CA6628AAE24514F76F659,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:25.083{414E8EDF-B0B1-6218-1600-000000003702}12883364C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:25.083{414E8EDF-B0B1-6218-1600-000000003702}12883364C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000190257Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:26.708{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E51037279407F7C753DF175FCC42C325,SHA256=736F5350AC730A72F16415E4323E99B3F4A2B93AD2713D664B3B2B234984A7F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135347Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:26.923{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1B2B50F7E2B3A2B806BEAC69213DC90,SHA256=D886155D6235EB92D23D128373B94D812812F7930B03B0FD98F1B1F3187FF8FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135346Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:26.814{6AAC6DF5-B0B1-6218-1300-000000003802}108NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=74D6F181B0CD21E1FC26DE48CCE22AA2,SHA256=A6A7D03CFAE8CA8ADC6B31B416D3BFC3BF05DA7D9559915FD9883F31160BE87A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190256Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:26.427{414E8EDF-B0DB-6218-8600-000000003702}49564688C:\Windows\Explorer.EXE{414E8EDF-C88D-6218-AA03-000000003702}4564C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190255Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:26.427{414E8EDF-B0DB-6218-8600-000000003702}49564688C:\Windows\Explorer.EXE{414E8EDF-C88D-6218-AA03-000000003702}4564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190254Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:26.427{414E8EDF-B0DB-6218-8600-000000003702}49564688C:\Windows\Explorer.EXE{414E8EDF-C88D-6218-AA03-000000003702}4564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190253Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:26.411{414E8EDF-B0DB-6218-8600-000000003702}49564104C:\Windows\Explorer.EXE{414E8EDF-C88D-6218-AA03-000000003702}4564C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190252Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:26.411{414E8EDF-B0DB-6218-8600-000000003702}49564104C:\Windows\Explorer.EXE{414E8EDF-C88D-6218-AA03-000000003702}4564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:26.411{414E8EDF-B0DB-6218-8600-000000003702}49564104C:\Windows\Explorer.EXE{414E8EDF-C88D-6218-AA03-000000003702}4564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:26.411{414E8EDF-B0DB-6218-8600-000000003702}49564104C:\Windows\Explorer.EXE{414E8EDF-C88D-6218-AA03-000000003702}4564C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000190249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:24.722{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52687-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000190268Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:27.724{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D47B512501219557C4E9C8BE4187E7F,SHA256=460156AA13E05CB9E33967CFDAFD04E0A896A6BC03225F5B83AF0A53C689DB32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135350Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:27.986{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF0EAAACE9FAC365B811E852A1A932AB,SHA256=A5AE81C9F06556B3B187306473ADD1EF00A15D23AFFFEDC391A6082FD4F658DD,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000190267Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:24:27.130{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000190266Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:24:27.130{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0064dda7) 13241300x8000000000000000190265Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:24:27.130{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d82a3a-0x3f2a8e3c) 13241300x8000000000000000190264Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:24:27.130{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d82a42-0xa0eef63c) 13241300x8000000000000000190263Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:24:27.130{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d82a4b-0x02b35e3c) 13241300x8000000000000000190262Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:24:27.130{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000190261Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:24:27.130{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0064dda7) 13241300x8000000000000000190260Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:24:27.130{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d82a3a-0x3f2a8e3c) 13241300x8000000000000000190259Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:24:27.130{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d82a42-0xa0eef63c) 13241300x8000000000000000190258Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:24:27.130{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d82a4b-0x02b35e3c) 23542300x8000000000000000135349Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:27.876{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=0D2EE4A0940CAB235376E2CBE5D3F2DF,SHA256=32407E1862607173C643BBCC874643A5A75FD2749F8ADF299B013EA4E2B30492,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135348Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:27.876{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2432CAF855CCA721FE26918846B6C577,SHA256=6CE583CEB78B2619311135814168CA2889E51903C78D0B3754641DECD293D6A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190269Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:28.724{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A24F6D29DD00F6AA713E38BFDBF53016,SHA256=1EA9F8BB4B44D2A1AD0E2507A2487DAAB38FC4DC6032CFC18AA10E060658D2CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135351Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:26.627{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50981-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000190270Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:29.739{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=872502F0A5A095E58938B235B0AE55D1,SHA256=9532D95C117CD2C339AECA3B2AC9B66545137B5C4775532F28328893BE99652A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135352Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:29.033{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75D1EEEA6D7DAA180291B8C4B4520BC9,SHA256=5B261F315E0C62E115AAF4A8BB75B7EF6C82FC82CAF5C5694E38A575DEE77A3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190271Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:30.755{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E40B9A7C96A66DB5D9B6D4B001AA987,SHA256=1A19A76A1EDF4D72066EDB550401D991FB287353AC1FE464C350C471FCBEE66B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135354Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:30.205{6AAC6DF5-B0B2-6218-2200-000000003802}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4A396A40DE4AD844AFDFD6BFEE34209D,SHA256=ABC582D2644B8C5C1CF17206963A01B55D9A40BBB1979B03D8F2D216AA803ABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135353Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:30.080{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20AC620366C1711D517744E0FB1CFFB1,SHA256=6FE8DFF5DB5C436F385B00F74ADAEFC3790BDCC2FA16EB17B6E291DB973BE46B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190273Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:31.974{414E8EDF-B0AE-6218-0B00-000000003702}632804C:\Windows\system32\lsass.exe{414E8EDF-B0AB-6218-0100-000000003702}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000190272Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:31.771{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B78867BC8FCD376FFAE41147EED516D3,SHA256=9D2FF7CBDE34060B0504B078071BA929BC6DD4154E7CB7A0DD2F2FE5F0FA2CC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135356Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:29.688{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50982-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000135355Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:31.096{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE23946212F5562B6774F6E80E133A1F,SHA256=CBBD443CF5B1E2B08787FF08C89F5B471617BBB552A3CB5FAB7A3BEC6120AA0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190275Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:32.786{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50EF92548CFEB846DC74469236177770,SHA256=3F58A68D5B414FDD24BE47B6D1C3D3793061F15374264BC6D8C6724BAE769D43,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190274Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:30.694{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52688-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135357Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:32.112{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=665D6B5B061A5260728F62BEF81F88F6,SHA256=365AC989144962CDA4E493C0C3CB1FC1B449AD8442A2CDBE8E8991891E375ACD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190280Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:33.802{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84EBFDCEC4D1B0D263782AEAF1E1CAB0,SHA256=18D987FAD1DF0769AD26A12B14F7DADF7138C3650AB6CB77129822C8DEED5BB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135358Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:33.128{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C105952926FB229A662C81A7D4A1515,SHA256=001E7A642862995C145AA15C573B76539C0B43C1481354C1FBBBB79E3B54136C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190279Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:32.476{414E8EDF-B0AB-6218-0100-000000003702}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52689-false10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local445microsoft-ds 354300x8000000000000000190278Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:32.476{414E8EDF-B0AB-6218-0100-000000003702}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52689-false10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local445microsoft-ds 23542300x8000000000000000190277Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:33.005{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B415508641862C673EF8AC5CE8ECBA1B,SHA256=011E998F04AE767046CBFE2DD7E7FF23E6E5E330913BCB0E9251CDB03926168A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190276Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:33.005{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F715A83F428D9E956BFEBFC5A42569B,SHA256=E6E9212179990EE5C34C155444B58AB82D25171E4F654A9F1853EBF36152739A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190281Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:34.802{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B3FBA3F0513E4DECB3159A1988BCBED,SHA256=52F998BC37F868B61F8C013628C353885F57C6745C86908A56D464EC2EEEC877,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135360Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:32.596{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50983-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135359Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:34.190{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC4EE95D110A9FD8AAC73D2F5506D38A,SHA256=91E38E7F2C13AB11708AF9904D766499BF092379344559FE7A9024ADCF691C0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190282Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:35.817{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D61519E1C8C32FBD88BE0853DD0089A,SHA256=033A54C89CF7205C1BF6E0D366CB0E51055AEFAFC7D6A721C91098B55F0621FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135361Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:35.253{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A029BF87B14B21F33BB0F6C13D4D1E6,SHA256=014E611822944A648A8EDAD021652C3DD4BBCF7FD5237E8E745E299C07F2CE8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190283Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:36.833{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0AFCFB808AD1B5BACBA9D149F72AA00,SHA256=4FFEBD887394DECC76E7AC7AA4F4E05D53EB3E468A3D01BA9F7C1CCD9F9DF005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135362Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:36.268{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D44FBEE7B7A5E0DAF1274E7A753EA51,SHA256=497571502FE3578D651BB319923141C0F964CEB1B13521D5EC5CF9D28880A9D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190284Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:37.849{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=977C0978E674C7A3A1E0C5BF99D02DB4,SHA256=54C437551A5C3531A90DCA2B665B3663FE3D7259806C5C32C9593EDA6B786553,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135363Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:37.331{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9290F126A30F62F32C4211692BFB340,SHA256=CC0A65BA2E358B25FF182D9FCC9CC8A6A073C7D856F343D1B697FF79EFD633B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190287Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:38.849{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C92FC97225A0ABFF87274D704EFFFC2,SHA256=7245BE027BD7F450D273C761412A85D924309D323CA26171B382EEE399511A98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135364Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:38.378{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD7E808789C9D497B439398D09BB7F6C,SHA256=DB957DA1A228F2A342FCDE36EF9ADA47E71C02C0BE47D67614ABF03935214B3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190286Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:38.599{414E8EDF-B0BE-6218-2900-000000003702}2792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4A396A40DE4AD844AFDFD6BFEE34209D,SHA256=ABC582D2644B8C5C1CF17206963A01B55D9A40BBB1979B03D8F2D216AA803ABE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190285Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:36.601{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52690-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000190288Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:39.864{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=383977A1769990318AB6EDB60D582726,SHA256=FFC67941A78797EAA17849497F90FBC6DC0B25AE81928F6A3520C42DFC8BF125,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135365Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:39.456{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D98137FBF0AA528A681486A22212CC33,SHA256=4412346EF55240F3EE2ED53BACF3E6E54E512EB9ABE921EBB20F90C886B2CC6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190290Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:40.864{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B763F62D5ABD12A0447BC2D3964122D,SHA256=0279B4E4A55BF2526D5F82B37DC65F9C066439C4C20DE75480F06EA194495747,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135379Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:40.643{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CA88-6218-9703-000000003802}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135378Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:40.643{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135377Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:40.643{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135376Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:40.643{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135375Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:40.643{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135374Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:40.643{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135373Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:40.643{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135372Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:40.643{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135371Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:40.643{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135370Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:40.643{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135369Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:40.643{6AAC6DF5-B0AF-6218-0500-000000003802}4241012C:\Windows\system32\csrss.exe{6AAC6DF5-CA88-6218-9703-000000003802}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000135368Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:40.643{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CA88-6218-9703-000000003802}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000135367Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:40.644{6AAC6DF5-CA88-6218-9703-000000003802}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000135366Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:40.518{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E17548B5A550A15A082853DD6EE6026,SHA256=C011612DAAE92E5238A764002D3AC5432173B0747D47D8F8C99CA3882381C5B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190289Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:39.085{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52691-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x8000000000000000135410Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:41.987{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CA89-6218-9903-000000003802}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135409Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:41.987{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135408Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:41.987{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135407Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:41.987{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135406Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:41.987{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135405Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:41.987{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135404Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:41.987{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135403Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:41.987{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000190291Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:41.866{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B99FA0B77E09D3F6BDABDE71CF8069F,SHA256=2ECED383645B0D10D6A5B8410FBFACDAFD9505BD05A0E9B04AD709359265D2F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135402Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:41.987{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135401Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:41.987{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135400Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:41.987{6AAC6DF5-B0AF-6218-0500-000000003802}4241012C:\Windows\system32\csrss.exe{6AAC6DF5-CA89-6218-9903-000000003802}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000135399Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:41.987{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CA89-6218-9903-000000003802}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000135398Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:41.988{6AAC6DF5-CA89-6218-9903-000000003802}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000135397Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:41.784{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4183D5033F55E2F5C617F42CF5ED951D,SHA256=530EE9FA0120D778FA939BDFF7F1893A1114715F0E1123A6CFC6CF6CF4A31C0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135396Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:41.784{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC57E10EED95974D63B665C500B5BCDA,SHA256=47FCDC6965ABA64AECDD4A9766DABDAF4D8F1BF79C355586FA10AB691E103DBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135395Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:41.784{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D084506A0EC9C1D9AD622D61ED46BE4,SHA256=BE5EAFC702DF349E530FC943874F0562E188B66348DFE5FCE89F8C6DC66B749E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135394Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:41.503{6AAC6DF5-CA89-6218-9803-000000003802}28884072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135393Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:41.315{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CA89-6218-9803-000000003802}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135392Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:41.315{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135391Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:41.315{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135390Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:41.315{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135389Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:41.315{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135388Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:41.315{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135387Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:41.315{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135386Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:41.315{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135385Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:41.315{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135384Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:41.315{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135383Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:41.315{6AAC6DF5-B0AF-6218-0500-000000003802}424440C:\Windows\system32\csrss.exe{6AAC6DF5-CA89-6218-9803-000000003802}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000135382Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:41.315{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CA89-6218-9803-000000003802}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000135381Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:41.316{6AAC6DF5-CA89-6218-9803-000000003802}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000135380Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:38.564{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50984-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135411Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:42.815{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7981DEFDF7822E1FDFDFC84F9DC2750,SHA256=48738014322D92534B7F2750DE24136304AC0285B7CC2F2C999A820CCA2A0F7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190292Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:42.866{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0307667B6BF4DDC013A0AA6917736FD0,SHA256=B19E20C2DA319F32A67B020CE60985526DC84C3F5B433F997E93099CEA569336,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135413Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:43.862{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF44CDAC9BE0A47AA6594C2C828FCAA1,SHA256=6CC89518D0989F38A894D908A51E30C4F5D052C166F571F1B7E114CD5C8B22C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190295Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:43.881{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE8F1155C608816C214FF4B4FCF0DD25,SHA256=3F2063875C29362749872BB6EDA694B2FA4A4F8D7BDA15DD2DBBEEC1D777B64E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135412Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:43.065{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4183D5033F55E2F5C617F42CF5ED951D,SHA256=530EE9FA0120D778FA939BDFF7F1893A1114715F0E1123A6CFC6CF6CF4A31C0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190294Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:43.850{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1558687D6D10025B17E0F89100102070,SHA256=51BA39D8F68A44733594A639CF99AD4E053E6DCAC525517DD2517C750A4663A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190293Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:43.850{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B415508641862C673EF8AC5CE8ECBA1B,SHA256=011E998F04AE767046CBFE2DD7E7FF23E6E5E330913BCB0E9251CDB03926168A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135428Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:44.987{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF51AD33FC5B32DE8077631B2D486E28,SHA256=D8415F2BCE18E66733383A85519C294F1A7D44B21DA39959A057F4CF3E529178,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190297Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:44.897{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D06B379B21C178AD714629235127A86F,SHA256=D4447DB644C1D15B939596463996240F538B8CCB889F1EE545F6FA1A58C09BEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135427Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:44.909{6AAC6DF5-CA8C-6218-9A03-000000003802}35522284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135426Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:44.706{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CA8C-6218-9A03-000000003802}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135425Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:44.706{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135424Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:44.706{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135423Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:44.706{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135422Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:44.706{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135421Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:44.706{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135420Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:44.706{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135419Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:44.706{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135418Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:44.706{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135417Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:44.706{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135416Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:44.706{6AAC6DF5-B0AF-6218-0500-000000003802}424540C:\Windows\system32\csrss.exe{6AAC6DF5-CA8C-6218-9A03-000000003802}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000135415Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:44.706{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CA8C-6218-9A03-000000003802}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000135414Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:44.707{6AAC6DF5-CA8C-6218-9A03-000000003802}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000190296Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:42.601{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52692-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000190298Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:45.912{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB38ED430708C82643A246FD468B1E02,SHA256=F0489057C875C92E0761457DBA83FD25974E1585C7607ECA3A25031F55271294,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135443Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:45.800{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9EC94B733BBEA58EEF0CD07A367B72A,SHA256=406D01CB21C29D7667C422D0F0044E90426E45C410BEFDD502974349158EFEAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135442Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:45.535{6AAC6DF5-CA8D-6218-9B03-000000003802}25042464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135441Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:45.362{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CA8D-6218-9B03-000000003802}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135440Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:45.362{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135439Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:45.362{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135438Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:45.362{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135437Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:45.362{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135436Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:45.362{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135435Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:45.362{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135434Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:45.362{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135433Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:45.362{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135432Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:45.362{6AAC6DF5-B0AF-6218-0500-000000003802}424540C:\Windows\system32\csrss.exe{6AAC6DF5-CA8D-6218-9B03-000000003802}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000135431Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:45.362{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135430Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:45.362{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CA8D-6218-9B03-000000003802}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000135429Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:45.363{6AAC6DF5-CA8D-6218-9B03-000000003802}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000190299Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:46.928{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2230235422D0B8F806353FBEF7CAC935,SHA256=70BEC860AD3C8F1429571D8696B2F9A8C2887ACD3BB531D6667DC3BE9455F956,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135458Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:46.940{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CA8E-6218-9C03-000000003802}2992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135457Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:46.940{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135456Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:46.940{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135455Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:46.940{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135454Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:46.940{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135453Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:46.940{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135452Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:46.940{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135451Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:46.940{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135450Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:46.940{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135449Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:46.940{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135448Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:46.940{6AAC6DF5-B0AF-6218-0500-000000003802}4241012C:\Windows\system32\csrss.exe{6AAC6DF5-CA8E-6218-9C03-000000003802}2992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000135447Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:46.940{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CA8E-6218-9C03-000000003802}2992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000135446Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:46.941{6AAC6DF5-CA8E-6218-9C03-000000003802}2992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000135445Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:43.658{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50985-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135444Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:46.018{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCB7284884E77217D2C482FD4A78E8C2,SHA256=90EACA2ECAA6AE88509FDC1E544F60758BFCD86EB9048F4218A1284FFBD8E0C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190300Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:47.944{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F604C544EF3E1B8A5F79EE8CC43EB625,SHA256=8B1084E5149E7CCBC6B4387743A29A1B2528FBA28CE571D515E8C55D25FC7E93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135461Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:47.987{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF65F8C3608C025E2BD50066E33FD362,SHA256=2DC6603E24905B98EFABC23B3A70F7347EA9AE0714C4B6379505FB5413CAE015,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135460Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:47.112{6AAC6DF5-CA8E-6218-9C03-000000003802}29923056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000135459Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:47.034{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE2821023B2D4C2F0A01F0E51F9B6966,SHA256=73C7BB43D8107B68DFDCD0227E122ED35753B9FAC83CD7004ECAE06733ACB036,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190303Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:48.959{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE8424C36F2F91BF3D85C390E2EBB0E8,SHA256=373D38130C6B1E652836B28F2717F327583E2F266591A5F4AFD3A8AEDC68B7D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135475Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:48.112{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CA90-6218-9D03-000000003802}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135474Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:48.112{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135473Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:48.112{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135472Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:48.112{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135471Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:48.112{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135470Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:48.112{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135469Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:48.112{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135468Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:48.112{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135467Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:48.112{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135466Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:48.112{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135465Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:48.112{6AAC6DF5-B0AF-6218-0500-000000003802}4241012C:\Windows\system32\csrss.exe{6AAC6DF5-CA90-6218-9D03-000000003802}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000135464Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:48.112{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CA90-6218-9D03-000000003802}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000135463Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:48.113{6AAC6DF5-CA90-6218-9D03-000000003802}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000135462Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:48.034{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=113E63A0FE0ED56E961B260316A8F363,SHA256=8D724FF0121A88B3DD04D1ECB54C50664569CB603EE4136BB4AC2B5700BF9342,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190302Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:48.412{414E8EDF-B0AE-6218-0B00-000000003702}6324172C:\Windows\system32\lsass.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190301Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:48.412{414E8EDF-B0AE-6218-0B00-000000003702}6324172C:\Windows\system32\lsass.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000190329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:49.975{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=931F55EA1D4CABA61F2656C635C77141,SHA256=70349C317EAF771E3ED541BDD2BD7B161427B0CC1417755BA97B253592C1F93E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135477Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:49.128{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A49A1E63FCDC5A2FA1670B173C816B2,SHA256=997F1C7F4A144C1B11DDDEBEA2644618249B12B8E6267E00F9648DA84565DC18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135476Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:49.065{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92A18843C256578BBFCB29B21E2459C0,SHA256=45A7C4DF9CE6C34BD5ADA28EE364335EF47A9A1637DB8B63184DEC4B1FC3CADD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:49.803{414E8EDF-B0DB-6218-8600-000000003702}49564688C:\Windows\Explorer.EXE{414E8EDF-CA91-6218-E603-000000003702}5864C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:49.803{414E8EDF-B0DB-6218-8600-000000003702}49564688C:\Windows\Explorer.EXE{414E8EDF-CA91-6218-E603-000000003702}5864C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:49.803{414E8EDF-B0DB-6218-8600-000000003702}49564688C:\Windows\Explorer.EXE{414E8EDF-CA91-6218-E603-000000003702}5864C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:49.741{414E8EDF-B0DB-6218-8100-000000003702}46444816C:\Windows\system32\taskhostw.exe{414E8EDF-CA91-6218-E703-000000003702}6000C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:49.741{414E8EDF-B0DB-6218-8100-000000003702}46444816C:\Windows\system32\taskhostw.exe{414E8EDF-CA91-6218-E703-000000003702}6000C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000190323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:48.617{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52693-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000190322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:49.694{414E8EDF-B0DB-6218-8600-000000003702}49564256C:\Windows\Explorer.EXE{414E8EDF-CA91-6218-E603-000000003702}5864C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:49.694{414E8EDF-B0DB-6218-8600-000000003702}49564256C:\Windows\Explorer.EXE{414E8EDF-CA91-6218-E603-000000003702}5864C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:49.694{414E8EDF-B0DB-6218-8600-000000003702}49564256C:\Windows\Explorer.EXE{414E8EDF-CA91-6218-E603-000000003702}5864C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:49.694{414E8EDF-B0DB-6218-8600-000000003702}49564256C:\Windows\Explorer.EXE{414E8EDF-CA91-6218-E603-000000003702}5864C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:49.694{414E8EDF-B0DB-6218-8600-000000003702}49564104C:\Windows\Explorer.EXE{414E8EDF-CA91-6218-E703-000000003702}6000C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:49.694{414E8EDF-B0DB-6218-8600-000000003702}49564104C:\Windows\Explorer.EXE{414E8EDF-CA91-6218-E703-000000003702}6000C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:49.694{414E8EDF-B0DB-6218-8600-000000003702}49564104C:\Windows\Explorer.EXE{414E8EDF-CA91-6218-E703-000000003702}6000C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:49.694{414E8EDF-B0DB-6218-8600-000000003702}49564104C:\Windows\Explorer.EXE{414E8EDF-CA91-6218-E703-000000003702}6000C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:49.662{414E8EDF-B0B1-6218-1600-000000003702}12882420C:\Windows\system32\svchost.exe{414E8EDF-CA91-6218-E703-000000003702}6000C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190313Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:49.662{414E8EDF-B0B1-6218-1600-000000003702}12881376C:\Windows\system32\svchost.exe{414E8EDF-CA91-6218-E703-000000003702}6000C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190312Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:49.647{414E8EDF-CA91-6218-E703-000000003702}60001020C:\Windows\system32\conhost.exe{414E8EDF-CA91-6218-E603-000000003702}5864C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190311Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:49.631{414E8EDF-B0D7-6218-7600-000000003702}40042260C:\Windows\system32\csrss.exe{414E8EDF-CA91-6218-E703-000000003702}6000C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190310Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:49.616{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190309Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:49.616{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190308Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:49.616{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190307Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:49.616{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190306Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:49.616{414E8EDF-B0D7-6218-7600-000000003702}40043280C:\Windows\system32\csrss.exe{414E8EDF-CA91-6218-E603-000000003702}5864C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190305Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:49.616{414E8EDF-B0DB-6218-8600-000000003702}49565268C:\Windows\Explorer.EXE{414E8EDF-CA91-6218-E603-000000003702}5864C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a90ff|C:\Windows\System32\windows.storage.dll+a8d75|C:\Windows\System32\windows.storage.dll+a8866|C:\Windows\System32\windows.storage.dll+a9cd8|C:\Windows\System32\windows.storage.dll+a868e|C:\Windows\System32\windows.storage.dll+ab4a5|C:\Windows\System32\windows.storage.dll+ab824|C:\Windows\System32\windows.storage.dll+204ad4|C:\Windows\System32\windows.storage.dll+ad68a|C:\Windows\System32\windows.storage.dll+ad442|C:\Windows\System32\SHELL32.dll+3fa6d|C:\Windows\System32\SHELL32.dll+3e606|C:\Windows\System32\SHELL32.dll+80381|C:\Windows\System32\SHELL32.dll+6731e|C:\Windows\System32\SHELL32.dll+1758c0|C:\Windows\System32\SHELL32.dll+17c35c|C:\Windows\System32\SHELL32.dll+19eb28|C:\Windows\System32\SHELL32.dll+17c4f6|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 154100x8000000000000000190304Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:49.619{414E8EDF-CA91-6218-E603-000000003702}5864C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon"C:\Windows\system32\ATTACKRANGE\Administrator{414E8EDF-B0DA-6218-B7B0-070000000000}0x7b0b72HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000190348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:50.975{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40CDFC8A611E8F0A9210CCCE4C94E9DF,SHA256=7185FCAE2B4D20D968E91534C15AA03A6C81A656CFA88D3526E424FBA35158B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135478Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:50.096{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AFE72BE0898832B064D9F43B4D27F76,SHA256=5F14BA5FEB1904E6EF242A56C310DCC5DF724311F992309E9524781E021BCA59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:50.866{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CA92-6218-E903-000000003702}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:50.866{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:50.866{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:50.866{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:50.866{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:50.866{414E8EDF-B0AE-6218-0500-000000003702}4165324C:\Windows\system32\csrss.exe{414E8EDF-CA92-6218-E903-000000003702}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:50.866{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CA92-6218-E903-000000003702}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:50.867{414E8EDF-CA92-6218-E903-000000003702}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000190339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:50.647{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA6E099B71AE1920A49D31BA2B04D210,SHA256=A72DB830CEC9AEF3A332EBDD5DC1DB3E2E8A5C1BFF65ADDDD8DDC52B025C0AE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:50.631{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1558687D6D10025B17E0F89100102070,SHA256=51BA39D8F68A44733594A639CF99AD4E053E6DCAC525517DD2517C750A4663A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:50.366{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CA92-6218-E803-000000003702}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:50.366{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:50.366{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:50.366{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:50.366{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:50.366{414E8EDF-B0AE-6218-0500-000000003702}416372C:\Windows\system32\csrss.exe{414E8EDF-CA92-6218-E803-000000003702}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:50.366{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CA92-6218-E803-000000003702}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:50.366{414E8EDF-CA92-6218-E803-000000003702}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000190359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:51.991{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56BCC659F07B458E44B0A087563AB79C,SHA256=C122395E596FF6D8D966B661279560669936BE07FE3E0AB183D6753415782724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135479Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:51.112{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02195735D2E18FF49B20F96C47F3FF87,SHA256=A9F82AC49DD72FC407182021E19B77BA2513E242F8BE2550FA0CA6F4C3A5FE1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:51.912{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA6E099B71AE1920A49D31BA2B04D210,SHA256=A72DB830CEC9AEF3A332EBDD5DC1DB3E2E8A5C1BFF65ADDDD8DDC52B025C0AE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:51.538{414E8EDF-CA93-6218-EA03-000000003702}45924176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:51.366{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CA93-6218-EA03-000000003702}4592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:51.366{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:51.366{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:51.366{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:51.366{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:51.366{414E8EDF-B0AE-6218-0500-000000003702}416432C:\Windows\system32\csrss.exe{414E8EDF-CA93-6218-EA03-000000003702}4592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:51.366{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CA93-6218-EA03-000000003702}4592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:51.367{414E8EDF-CA93-6218-EA03-000000003702}4592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000135481Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:49.674{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50986-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135480Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:52.175{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2911391359351402C270F788C0313944,SHA256=78A605343B6F4495455152741C96FF7A79358A7B4D26536BBAD4DD44BA064A8E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:52.944{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CA94-6218-EC03-000000003702}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:52.944{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:52.944{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:52.944{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:52.944{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:52.944{414E8EDF-B0AE-6218-0500-000000003702}416532C:\Windows\system32\csrss.exe{414E8EDF-CA94-6218-EC03-000000003702}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:52.944{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CA94-6218-EC03-000000003702}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:52.944{414E8EDF-CA94-6218-EC03-000000003702}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000190368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:52.288{414E8EDF-CA94-6218-EB03-000000003702}21803236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:52.038{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CA94-6218-EB03-000000003702}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:52.038{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:52.038{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:52.038{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:52.038{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:52.038{414E8EDF-B0AE-6218-0500-000000003702}4165324C:\Windows\system32\csrss.exe{414E8EDF-CA94-6218-EB03-000000003702}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:52.038{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CA94-6218-EB03-000000003702}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:52.038{414E8EDF-CA94-6218-EB03-000000003702}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000135482Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:53.190{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2CC6B12EFF907304EADC59E620196FD,SHA256=BF8DF40C01423792E51D36139979348E0A86D4822A89BD9CE1C5D4EB0DB02109,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:52.898{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local52694-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local389ldap 354300x8000000000000000190389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:52.898{414E8EDF-B0BE-6218-2B00-000000003702}2820C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local52694-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local389ldap 10341000x8000000000000000190388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:53.819{414E8EDF-CA95-6218-ED03-000000003702}45805540C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:53.616{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CA95-6218-ED03-000000003702}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:53.616{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:53.616{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:53.616{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:53.616{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:53.616{414E8EDF-B0AE-6218-0500-000000003702}416532C:\Windows\system32\csrss.exe{414E8EDF-CA95-6218-ED03-000000003702}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:53.616{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CA95-6218-ED03-000000003702}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:53.616{414E8EDF-CA95-6218-ED03-000000003702}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000190379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:53.209{414E8EDF-CA94-6218-EC03-000000003702}23362640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000190378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:53.056{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C51A3CA11811FA0D4CFA55A3529F84A6,SHA256=175B4457C54EE4423A05E1600DB3712C9C8C4DB0714BF32855CA2FD25713969E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:52.992{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7D8294AA644672EF4BEB43C8A70348A,SHA256=BB54DE3D4A5FF7C250033E88D60D12C44F64D8C09680BB27BF17115890014F51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135483Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:54.206{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EFFCED4994555978B732310C3A87F3A,SHA256=2881C5834130EDBDEB8FAB513F42EEB67306755E050A3479C723BAB67A338505,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:53.682{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52695-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000190392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:54.663{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=315DA07F11D2C06A0A5D918801F40797,SHA256=D15ECC32F123ED96C31AFE5B07D747A079E13C9DB2CA777A47E8545A8AB23B82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:54.006{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=179A8E7A4CB9B116DC3F054AF7A37B57,SHA256=DD7224406D30DB7ABA230FE86A36E6B104F504F4E06C671CC579500381941EFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135484Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:55.221{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA6AAA8A16B092D8097DF20084FE6E4A,SHA256=3B56BED0606C6EEB494FFFCA4A996C5B1387E84F7CEA3E65466D1ABE100DE07A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:55.006{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1349BAE7FAEA01A9951E8BCC4DC0B408,SHA256=D54DEA90C47E6EC4182A902EB82E36135102A13685AF651D05FD684CECB25F33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135485Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:56.221{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A1341F2F03E7E14C6F947BD4AA88297,SHA256=BA2CA4C1A912D2A06EBC7289D8582B50D8BAF826E0AFAD271F6EEE3C9105F946,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:56.835{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CA98-6218-EE03-000000003702}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:56.835{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:56.835{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:56.835{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:56.835{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:56.835{414E8EDF-B0AE-6218-0500-000000003702}416432C:\Windows\system32\csrss.exe{414E8EDF-CA98-6218-EE03-000000003702}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:56.835{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CA98-6218-EE03-000000003702}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:56.835{414E8EDF-CA98-6218-EE03-000000003702}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000190395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:56.006{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=520839E94E1E47E65ED49B2438E0C7BB,SHA256=A0C2B185C6D66D942CAFD293FC143C532D0CD0DAB3BB7A053BFA6B0E00609286,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135487Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:55.689{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50987-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135486Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:57.237{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD34942302D0F2390CB26ECB848713DC,SHA256=4FEAAC505C019E612F9683F821608F333B9C4FFA15C178738B5D3D4DA7A37325,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:57.928{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0EF9460FC29C827D9BAD401527913E9D,SHA256=82E659A6DFC32E6B3CABA97B28024E5E65D59CB4FBC3DDA6383494103B77CB6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:57.022{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=860C10196C64635161007B1B4BC8341A,SHA256=7CCA1A9E8EFF34047D3FE82B7FFDE732603E1A849FCD463980E49C28A65007E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135488Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:58.253{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E943CEED6CFCF39EB68280F4C8997EA,SHA256=A0E39C65D76AF14732D010880FE9EECE56E84ED8DB9AE2739DBCB9847880CBE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:58.038{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA20C9A75F1B1B979CD7C1A80ABABEB8,SHA256=2F8D13AE6675CCC1AE2359D9F5FB3297A00CFDE13CAF9BB3C7B9685590BF9492,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135489Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:24:59.268{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=624CD515FD3E36D0FBC573E8BD8072D2,SHA256=AE9F5929A5A24F69B5BCC70364F795AE3C80E83646985B370946B9A89154A975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:59.053{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E2A4A11D0ADAA668F995DEA6F1AAC4C,SHA256=F7B07CBDD9F72FDF2579CBBE93227E648AB8914A8167CFDF9078E502A6D3D061,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135490Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:00.284{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=501C153EBF0893A9B91277536E704F64,SHA256=66D1C512D523FD8042A6D14B5B3756592985830E850B1A345BC5717F3386344B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:24:59.726{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52696-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000190408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:00.069{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AB332E0E3E2650B557F1370E60EC99E,SHA256=2BC7CBFBE5AD57899FA9D321F7BB3B7069697F56C3CFFD279ACAAAFFCA0C7907,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135491Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:01.284{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11C471828A80E503438D253AE1E5FBC4,SHA256=C9013EA06C27BBA3FE70587F76ADF76A4232B21ED8670761F9A26E98CC334BF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:01.069{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=586758B7C929BACB91D30D1240B4DFB3,SHA256=E31236334C75732D23DBEA16CD0670E73A60EEED55FD87835E8B1DAC082CD746,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135492Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:02.299{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78A3F57747648D6078331321EB01811D,SHA256=A57FB061CA1BFF865A9B16BAB2F8ECAB08BA7F94BAF863C1DC2819950985B5EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:02.944{414E8EDF-B0DB-6218-8600-000000003702}49565268C:\Windows\Explorer.EXE{414E8EDF-CA91-6218-E603-000000003702}5864C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a220|C:\Windows\System32\ole32.dll+8c32e|C:\Windows\System32\ole32.dll+8c7fb|C:\Windows\System32\SHELL32.dll+2c8f2d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x8000000000000000190418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:02.944{414E8EDF-B0DB-6218-8600-000000003702}49565268C:\Windows\Explorer.EXE{414E8EDF-CA91-6218-E603-000000003702}5864C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c1a5|C:\Windows\System32\ole32.dll+8c7fb|C:\Windows\System32\SHELL32.dll+2c8f2d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x8000000000000000190417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:02.866{414E8EDF-B0B1-6218-1600-000000003702}12882420C:\Windows\system32\svchost.exe{414E8EDF-CA9E-6218-EF03-000000003702}2412C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:02.866{414E8EDF-B0B1-6218-1600-000000003702}12881376C:\Windows\system32\svchost.exe{414E8EDF-CA9E-6218-EF03-000000003702}2412C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:02.850{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-CA9E-6218-EF03-000000003702}2412C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:02.850{414E8EDF-B0D7-6218-7600-000000003702}40043116C:\Windows\system32\csrss.exe{414E8EDF-CA9E-6218-EF03-000000003702}2412C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:02.850{414E8EDF-B0AE-6218-0500-000000003702}416432C:\Windows\system32\csrss.exe{414E8EDF-CA9E-6218-EF03-000000003702}2412C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:02.850{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-CA9E-6218-EF03-000000003702}2412C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366d9|c:\windows\system32\rpcss.dll+3bec2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000190411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:02.084{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A226FCF363860D3932D44F994DC0C17,SHA256=6F62BC083578CADB2E2BE6F3C6B448AB0218779A4AAF95AD28FD2E20D21E3D41,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135494Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:01.673{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50988-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135493Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:03.300{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7766948B92268EF7997B9AAE75728E89,SHA256=EA7F8D366F448A9BE0590AE140F49958AAF633F0D3154ACD2E4B2452C5DE6E59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:03.850{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAD5B3DEF55662F4C5532B102667DF11,SHA256=0E0D72B53F0AECBC84582287780E7F2EE9B0DB38C03FEE9706A3886D50100175,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:03.850{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC6C26D832AD7F45CFABFD427642D601,SHA256=5703B939AC879959CA3EC8153A0CD6DFF6E7968487626DF5868B5E48E94BC25C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:03.553{414E8EDF-B0DB-6218-8600-000000003702}49564688C:\Windows\Explorer.EXE{414E8EDF-CA91-6218-E603-000000003702}5864C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:03.553{414E8EDF-B0DB-6218-8600-000000003702}49564688C:\Windows\Explorer.EXE{414E8EDF-CA91-6218-E603-000000003702}5864C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:03.553{414E8EDF-B0DB-6218-8600-000000003702}49564688C:\Windows\Explorer.EXE{414E8EDF-CA91-6218-E603-000000003702}5864C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:03.538{414E8EDF-B0DB-6218-8600-000000003702}49564104C:\Windows\Explorer.EXE{414E8EDF-CA91-6218-E703-000000003702}6000C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:03.538{414E8EDF-B0DB-6218-8600-000000003702}49564104C:\Windows\Explorer.EXE{414E8EDF-CA91-6218-E703-000000003702}6000C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:03.538{414E8EDF-B0DB-6218-8600-000000003702}49564104C:\Windows\Explorer.EXE{414E8EDF-CA91-6218-E703-000000003702}6000C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:03.538{414E8EDF-B0DB-6218-8600-000000003702}49564104C:\Windows\Explorer.EXE{414E8EDF-CA91-6218-E703-000000003702}6000C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:03.178{414E8EDF-B0DB-6218-8600-000000003702}49565268C:\Windows\Explorer.EXE{414E8EDF-CA91-6218-E603-000000003702}5864C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a12e|C:\Windows\System32\ole32.dll+89a2b|C:\Windows\System32\ole32.dll+88be7|C:\Windows\System32\ole32.dll+8c817|C:\Windows\System32\SHELL32.dll+2c8f2d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x8000000000000000190421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:03.178{414E8EDF-B0DB-6218-8600-000000003702}49565268C:\Windows\Explorer.EXE{414E8EDF-CA91-6218-E603-000000003702}5864C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+b5f02|C:\Windows\System32\ole32.dll+899f9|C:\Windows\System32\ole32.dll+88be7|C:\Windows\System32\ole32.dll+8c817|C:\Windows\System32\SHELL32.dll+2c8f2d|C:\Windows\System32\SHELL32.dll+283aae|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 23542300x8000000000000000190420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:03.100{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=741C7AE3E6E926C9C7A0D506740EE3D9,SHA256=EBBB3CFA83FDAB57B37347D5ECDCCA4DD28F51F62E0B05E4340F1E86DA05CD6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135495Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:04.315{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=102B1680C03C7BB47492D03D6916479D,SHA256=6E59849767E0710DAB334CEBD70B10A2CB04861AF1DAAACC5287DB17BF13049C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:04.100{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42069BC6927568DF3B214F628AA9A5CB,SHA256=D28E1684B931E68391E753427833BA38BBFD0C9000618382F6854A2A0B049030,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:05.100{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4727506E72BF66E323FCC5123DF8F081,SHA256=12BAC896D8B0323DAC1886F6CB2BD0C18E7EEDEAE456817E67EB5D72BB7C5C86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135496Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:05.331{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F49B2888401BB303995DBCF0BD6A67FE,SHA256=6C946B10DB089A2623E3488E3ABFE42AE0E1674521ED6070EC5161344A45FD3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:06.116{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02C1C5D2F627870FA2DEDD60936FDA15,SHA256=ABBE77D89A742FDEB118EC7CDC7E1422AF107B9F2DBA05262F08D84ED054E493,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135497Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:06.331{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A017AC4F2C912CE093C080354478F418,SHA256=6DE3CF6132D3942EBE2AB77C245064AF7DC6AEA3697D965A7FD5AD280A20B843,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135498Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:07.346{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4661E46F6F820A3EA25FE10E70D59528,SHA256=635DDFB23603E155A342B06FBF27C900E5C00D82440E6B3BE2F4F46B4B7726D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:05.695{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52697-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000190435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:07.131{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55407F8B9FD65C0A48E2778159624FD9,SHA256=105B89003D84C50089726551D65CA647B85F05B45A8409CBFE444D554D7FAA1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135499Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:08.362{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F6C899A69D024E8FB1B95B61373E25C,SHA256=BC8B85E23C7BA46E80579BF19077F88DB2E9AF65A883CA1759F5AC76BC7B81F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:08.350{414E8EDF-B0AE-6218-0B00-000000003702}6324172C:\Windows\system32\lsass.exe{414E8EDF-B0AB-6218-0100-000000003702}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000190439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:08.241{414E8EDF-B0AE-6218-0B00-000000003702}6324172C:\Windows\system32\lsass.exe{414E8EDF-B0B1-6218-1600-000000003702}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:08.241{414E8EDF-B0AE-6218-0B00-000000003702}632684C:\Windows\system32\lsass.exe{414E8EDF-B0B1-6218-1600-000000003702}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000190437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:08.131{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B887E77DE6AD72AA5688020C7F1BB649,SHA256=FED2CA0A6CE3105C1E57B54D3F5D470501BFFD2A8C4ECF7112E70E4DE09FFB8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135500Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:09.378{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD96D4DA37AD5A90B388EE693F6A7B63,SHA256=571B25E51C5B551F8F8E0F971AEBB056943F8A741D5BD5A7CE6E565AAD049D26,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:08.855{414E8EDF-B0AB-6218-0100-000000003702}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:5147:9304:4b1c:595fwin-dc-tcontreras-attack-range-478.attackrange.local52700-truefe80:0:0:0:5147:9304:4b1c:595fwin-dc-tcontreras-attack-range-478.attackrange.local445microsoft-ds 354300x8000000000000000190448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:08.855{414E8EDF-B0AB-6218-0100-000000003702}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5147:9304:4b1c:595fwin-dc-tcontreras-attack-range-478.attackrange.local52700-truefe80:0:0:0:5147:9304:4b1c:595fwin-dc-tcontreras-attack-range-478.attackrange.local445microsoft-ds 354300x8000000000000000190447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:08.752{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52699-false10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local389ldap 354300x8000000000000000190446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:08.752{414E8EDF-B0B1-6218-1600-000000003702}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52699-false10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local389ldap 354300x8000000000000000190445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:08.745{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:5147:9304:4b1c:595fwin-dc-tcontreras-attack-range-478.attackrange.local52698-truefe80:0:0:0:5147:9304:4b1c:595fwin-dc-tcontreras-attack-range-478.attackrange.local389ldap 354300x8000000000000000190444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:08.745{414E8EDF-B0B1-6218-1600-000000003702}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5147:9304:4b1c:595fwin-dc-tcontreras-attack-range-478.attackrange.local52698-truefe80:0:0:0:5147:9304:4b1c:595fwin-dc-tcontreras-attack-range-478.attackrange.local389ldap 23542300x8000000000000000190443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:09.319{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ABA41E37E4D80760639BEE3A40E49A44,SHA256=2642448982A71749A5969AFA7BEBE5AE5CE2541FFD58E67B4C7806FF22667496,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:09.319{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAD5B3DEF55662F4C5532B102667DF11,SHA256=0E0D72B53F0AECBC84582287780E7F2EE9B0DB38C03FEE9706A3886D50100175,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:09.147{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA9F7557DC0267C14F251BF0C66DDECF,SHA256=AAA9D54990F4362993160B79388C7F5BE962F2307181BBE36789D8FDD649646E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:10.147{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A41D8C1EB5D27B91D76A8F2A0939143,SHA256=A1891395C1F7881592038292E958F510C3D42812C45FF6B2DC75D09AF26163DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135502Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:10.393{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0FF9FCCACCF298928764644A89C9719,SHA256=BDFC252CCE0AEB391720B72551A87CBA544AE32C64DD8DE2DDF9E24E57FC109B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135501Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:07.658{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50989-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135503Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:11.409{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FA343D9C312EBBCD4C3E4B4AB888FC9,SHA256=51AF20E087998CB8FFD8DCD6924449458777D42B7FA6A056FEE948574F088BD5,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000190473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:25:11.881{414E8EDF-CAA7-6218-F003-000000003702}5916C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHashSHA256=C04543402A6355D9D095BCB5FA9E7B02F2073E799FF44D1276B6F528654864C8 16341600x8000000000000000190472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local2022-02-25 12:25:11.881C:\Program Files\ansible\AttackRangeSysmon.xmlSHA256=C04543402A6355D9D095BCB5FA9E7B02F2073E799FF44D1276B6F528654864C8 13241300x8000000000000000190471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:25:11.866{414E8EDF-CAA7-6218-F003-000000003702}5916C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigFileC:\Program Files\ansible\AttackRangeSysmon.xml 13241300x8000000000000000190470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:25:11.850{414E8EDF-CAA7-6218-F003-000000003702}5916C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\RulesBinary Data 13241300x8000000000000000190469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:25:11.850{414E8EDF-CAA7-6218-F003-000000003702}5916C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookupBinary Data 13241300x8000000000000000190468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:25:11.850{414E8EDF-CAA7-6218-F003-000000003702}5916C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocationBinary Data 13241300x8000000000000000190467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:25:11.850{414E8EDF-CAA7-6218-F003-000000003702}5916C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithmDWORD (0x8000000e) 13241300x8000000000000000190466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:25:11.850{414E8EDF-CAA7-6218-F003-000000003702}5916C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\OptionsDWORD (0x00000007) 12241200x8000000000000000190465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-DeleteValue2022-02-25 12:25:11.850{414E8EDF-CAA7-6218-F003-000000003702}5916C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Rules 12241200x8000000000000000190464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-DeleteValue2022-02-25 12:25:11.850{414E8EDF-CAA7-6218-F003-000000003702}5916C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookup 12241200x8000000000000000190463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-DeleteValue2022-02-25 12:25:11.850{414E8EDF-CAA7-6218-F003-000000003702}5916C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocation 12241200x8000000000000000190462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-DeleteValue2022-02-25 12:25:11.850{414E8EDF-CAA7-6218-F003-000000003702}5916C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithm 12241200x8000000000000000190461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-DeleteValue2022-02-25 12:25:11.850{414E8EDF-CAA7-6218-F003-000000003702}5916C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Options 10341000x8000000000000000190460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:11.850{414E8EDF-B0AE-6218-0B00-000000003702}6324172C:\Windows\system32\lsass.exe{414E8EDF-CAA7-6218-F003-000000003702}5916C:\Program Files\ansible\sysmon\Sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:11.756{414E8EDF-CA91-6218-E703-000000003702}60001020C:\Windows\system32\conhost.exe{414E8EDF-CAA7-6218-F003-000000003702}5916C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:11.756{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:11.756{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:11.756{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:11.756{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:11.756{414E8EDF-B0D7-6218-7600-000000003702}40043116C:\Windows\system32\csrss.exe{414E8EDF-CAA7-6218-F003-000000003702}5916C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:11.756{414E8EDF-CA91-6218-E603-000000003702}58643228C:\Windows\system32\cmd.exe{414E8EDF-CAA7-6218-F003-000000003702}5916C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:11.706{414E8EDF-CAA7-6218-F003-000000003702}5916C:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-Sysmon64.exe -c "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{414E8EDF-B0DA-6218-B7B0-070000000000}0x7b0b72HighMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{414E8EDF-CA91-6218-E603-000000003702}5864C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 23542300x8000000000000000190451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:11.147{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F31D8E9BB0CD4E54C267BE669F40623E,SHA256=36B0BB531A7D304E21B77AD397F32D621D305A655368BD3F0900B9E831C67792,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135504Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:12.409{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72046D7516A91D22C20301430163DFFA,SHA256=DFF7FE5AB2D73BEF79C47C5E7F0F8DA5E6ECAB66C646146F4367455604E5BB7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:12.710{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ABA41E37E4D80760639BEE3A40E49A44,SHA256=2642448982A71749A5969AFA7BEBE5AE5CE2541FFD58E67B4C7806FF22667496,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:12.163{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8EF6A6FBE07E81BCDDDE8A888A1577F,SHA256=A2C4FF21918D4E3D65C0C0C9CBC974C67A0A32D0B4A9C295F4F043CFFEF1A58C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:10.742{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52701-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135506Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:13.662{6AAC6DF5-B0B2-6218-1D00-000000003802}1952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d7ccee276d30a4b6\channels\health\respondent-20220225103429-107MD5=FBD42F5F8AA0DC0DD6067820063FF10B,SHA256=AAA41009555F09EFB0ED817562D7125DD50A33AE671816E82835424EE5CAE232,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135505Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:13.424{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C216BC5CE1886B1F5894D6896623359,SHA256=BB732CD2A42BB4673F8B8559EF4F64851D64C45FE5E313B0A9B1E22126807458,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:13.178{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=270B4B071F5F7F0DE53F6CC942056F73,SHA256=D46E1E6356BBFD172A406406CBA01E4B7750C144473391FFB8DD10435ACA761C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:14.647{414E8EDF-C88D-6218-AA03-000000003702}4564ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=3DEB0FB20EF43DAB77BA65B61A435BD1,SHA256=A7A90E21E5345BD9232479C637CA4DEB267182921F48B970D05BFFED7C3818D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:14.585{414E8EDF-B0DB-6218-8600-000000003702}49564256C:\Windows\Explorer.EXE{414E8EDF-C88D-6218-AA03-000000003702}4564C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:14.585{414E8EDF-B0DB-6218-8600-000000003702}49564256C:\Windows\Explorer.EXE{414E8EDF-C88D-6218-AA03-000000003702}4564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:14.585{414E8EDF-B0DB-6218-8600-000000003702}49564256C:\Windows\Explorer.EXE{414E8EDF-C88D-6218-AA03-000000003702}4564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:14.553{414E8EDF-B0DB-6218-8600-000000003702}49564104C:\Windows\Explorer.EXE{414E8EDF-C88D-6218-AA03-000000003702}4564C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:14.553{414E8EDF-B0DB-6218-8600-000000003702}49564104C:\Windows\Explorer.EXE{414E8EDF-C88D-6218-AA03-000000003702}4564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:14.553{414E8EDF-B0DB-6218-8600-000000003702}49564104C:\Windows\Explorer.EXE{414E8EDF-C88D-6218-AA03-000000003702}4564C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:14.553{414E8EDF-B0DB-6218-8600-000000003702}49564104C:\Windows\Explorer.EXE{414E8EDF-C88D-6218-AA03-000000003702}4564C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000190478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:14.194{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=747A570D54D2040C87994D7CCB09B7DE,SHA256=EF6D1480FC9EFEB04C9CB60011781F989D47FB9F8D7F988EC9B1CEE0220890E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135508Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:14.662{6AAC6DF5-B0B2-6218-1D00-000000003802}1952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d7ccee276d30a4b6\channels\health\surveyor-20220225103427-108MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135507Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:14.427{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4335E6B9F2B961DB5295C62631A99006,SHA256=2C34CCB1513AC4C18B99C665ECD591A09A749373C7B871464C839FD93850BDDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135509Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:15.428{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEB048F5B57404133F9DFA450D87FB90,SHA256=2C12927D4009C7EE67CFBEBC19D9DF881B090A42F77FDB24565F05F601D1EC7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:15.210{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D1402688D47775DA164822BF03B5489,SHA256=C3A9029528634BFD2481BCE96BCA0273FE2A6978707956678A069C7495EFCDC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135511Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:16.444{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=716FE02E687EDAEF0879660059FDF730,SHA256=ACA5D4D3DFCBDAC0A31F53ABB2E3FE2BBB06559C3CCE12F01CFA55FF43028C96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:16.444{414E8EDF-B0DB-6218-8600-000000003702}49564256C:\Windows\Explorer.EXE{414E8EDF-C90F-6218-BB03-000000003702}5760C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:16.444{414E8EDF-B0DB-6218-8600-000000003702}49564256C:\Windows\Explorer.EXE{414E8EDF-C90F-6218-BB03-000000003702}5760C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:16.444{414E8EDF-B0DB-6218-8600-000000003702}49564256C:\Windows\Explorer.EXE{414E8EDF-C90F-6218-BB03-000000003702}5760C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:16.350{414E8EDF-B0DB-6218-8600-000000003702}49564256C:\Windows\Explorer.EXE{414E8EDF-C90F-6218-BB03-000000003702}5760C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:16.350{414E8EDF-B0DB-6218-8600-000000003702}49564256C:\Windows\Explorer.EXE{414E8EDF-C90F-6218-BB03-000000003702}5760C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:16.350{414E8EDF-B0DB-6218-8600-000000003702}49564256C:\Windows\Explorer.EXE{414E8EDF-C90F-6218-BB03-000000003702}5760C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:16.350{414E8EDF-B0DB-6218-8600-000000003702}49564104C:\Windows\Explorer.EXE{414E8EDF-C90F-6218-BB03-000000003702}5760C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:16.335{414E8EDF-B0DB-6218-8600-000000003702}49564104C:\Windows\Explorer.EXE{414E8EDF-C90F-6218-BB03-000000003702}5760C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:16.335{414E8EDF-B0DB-6218-8600-000000003702}49564104C:\Windows\Explorer.EXE{414E8EDF-C90F-6218-BB03-000000003702}5760C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:16.335{414E8EDF-B0DB-6218-8600-000000003702}49564104C:\Windows\Explorer.EXE{414E8EDF-C90F-6218-BB03-000000003702}5760C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000190488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:16.210{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED5CB5564174B916476690DE013A2F00,SHA256=6FC4D714556AA11F84EBB57AA2AC781C674B3FAF5F31C426DDBD91947D0F4592,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135510Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:13.629{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50990-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135512Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:17.459{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=752C663FB720CEF95553B04F21FC33AA,SHA256=A05E6DE6CD2734BC6FBB91E835DEB4F13B45AF4C824A5F90AFB737146720CD5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:17.210{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09E118988214178E9AAC386AADB6C48B,SHA256=11CB3ACAD92B3E9BFCA43D50C834866E50CC22EFA49FFE274B5D054306DEB1DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135513Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:18.491{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4AFB1131C583B67C493843F59681809,SHA256=9ECD34A40F5B5D8DA8BEE09A2CF2540F9DDC015D69071CF8DF8CFDEF5C49DFAD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:16.695{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52702-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000190521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:18.241{414E8EDF-C90F-6218-BB03-000000003702}5760ATTACKRANGE\AdministratorC:\Program Files\IDA Freeware 7.6\ida64.exeC:\Users\Administrator\Downloads\1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591\1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591.id2MD5=929CC5FC548F08B621B9F065085E13FF,SHA256=B8C4277EC375995A5525A5FF2559DEFE58FEE1724321113F2A2679B459BA3778,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:18.241{414E8EDF-C90F-6218-BB03-000000003702}5760ATTACKRANGE\AdministratorC:\Program Files\IDA Freeware 7.6\ida64.exeC:\Users\Administrator\Downloads\1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591\1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591.tilMD5=FA5258A541A589802D2DA25AE95E644C,SHA256=A98241B70E35A070BC1F0BDC77A331E5FCBD6DECDE66AA399605931832982674,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:18.241{414E8EDF-C90F-6218-BB03-000000003702}5760ATTACKRANGE\AdministratorC:\Program Files\IDA Freeware 7.6\ida64.exeC:\Users\Administrator\Downloads\1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591\1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591.namMD5=81DCCA17C5D9D61DC3F0CA63429A602A,SHA256=829B4D099C0C53989D846445BCEB6C7110AC9EE71DEA7603F2A3345F1FB216EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:18.241{414E8EDF-C90F-6218-BB03-000000003702}5760ATTACKRANGE\AdministratorC:\Program Files\IDA Freeware 7.6\ida64.exeC:\Users\Administrator\Downloads\1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591\1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591.id1MD5=3996FFAA2CFBDCF05166CF5463ACD7DD,SHA256=6BF2A086A8AD5E4D8EAF8889B1E6ACCA990AFE77CCDBF0775DFB458A6D7D735E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:18.241{414E8EDF-C90F-6218-BB03-000000003702}5760ATTACKRANGE\AdministratorC:\Program Files\IDA Freeware 7.6\ida64.exeC:\Users\Administrator\Downloads\1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591\1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591.id0MD5=2707F284F6FA65A2B29EE3CF40D6E5C4,SHA256=C6799367F4728459F584429F77F9F6A0E840FB0891481C0525BF011E9BB53C4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:18.225{414E8EDF-C90F-6218-BB03-000000003702}5760ATTACKRANGE\AdministratorC:\Program Files\IDA Freeware 7.6\ida64.exeC:\Users\Administrator\Downloads\1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591\1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591.i64MD5=2F09FDC0789EAAD415019851CAF64184,SHA256=91A60DD8889600D0C322DF499ED09DDF6A1D3116A235BA54B856CA790C2A91F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:18.225{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=781771C84180EF987F468A1B47680FE8,SHA256=C526B2F774C2A7F039442FC72F0F3ECB67BCEE404E5D4CD42C999A0401F1A774,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:18.225{414E8EDF-B0DB-6218-8600-000000003702}49564256C:\Windows\Explorer.EXE{414E8EDF-C90F-6218-BB03-000000003702}5760C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:18.225{414E8EDF-B0DB-6218-8600-000000003702}49564256C:\Windows\Explorer.EXE{414E8EDF-C90F-6218-BB03-000000003702}5760C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:18.225{414E8EDF-B0DB-6218-8600-000000003702}49564256C:\Windows\Explorer.EXE{414E8EDF-C90F-6218-BB03-000000003702}5760C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:18.178{414E8EDF-B0DB-6218-8600-000000003702}49564256C:\Windows\Explorer.EXE{414E8EDF-C90F-6218-BB03-000000003702}5760C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:18.178{414E8EDF-B0DB-6218-8600-000000003702}49564256C:\Windows\Explorer.EXE{414E8EDF-C90F-6218-BB03-000000003702}5760C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:18.178{414E8EDF-B0DB-6218-8600-000000003702}49564256C:\Windows\Explorer.EXE{414E8EDF-C90F-6218-BB03-000000003702}5760C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:18.178{414E8EDF-B0DB-6218-8600-000000003702}49564688C:\Windows\Explorer.EXE{414E8EDF-C90F-6218-BB03-000000003702}5760C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:18.178{414E8EDF-B0DB-6218-8600-000000003702}49564688C:\Windows\Explorer.EXE{414E8EDF-C90F-6218-BB03-000000003702}5760C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:18.178{414E8EDF-B0DB-6218-8600-000000003702}49564688C:\Windows\Explorer.EXE{414E8EDF-C90F-6218-BB03-000000003702}5760C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:18.178{414E8EDF-B0DB-6218-8600-000000003702}49564688C:\Windows\Explorer.EXE{414E8EDF-C90F-6218-BB03-000000003702}5760C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000190504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.localDownloads2022-02-25 12:25:18.163{414E8EDF-C90F-6218-BB03-000000003702}5760C:\Program Files\IDA Freeware 7.6\ida64.exeC:\Users\Administrator\Downloads\1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591\1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591.$$$2022-02-25 12:25:18.163 10341000x8000000000000000190503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:18.131{414E8EDF-B0AE-6218-0B00-000000003702}6324172C:\Windows\system32\lsass.exe{414E8EDF-C90F-6218-BB03-000000003702}5760C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:18.069{414E8EDF-B0DB-6218-8600-000000003702}49564256C:\Windows\Explorer.EXE{414E8EDF-C90F-6218-BB03-000000003702}5760C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:18.069{414E8EDF-B0DB-6218-8600-000000003702}49564256C:\Windows\Explorer.EXE{414E8EDF-C90F-6218-BB03-000000003702}5760C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:18.069{414E8EDF-B0DB-6218-8600-000000003702}49564256C:\Windows\Explorer.EXE{414E8EDF-C90F-6218-BB03-000000003702}5760C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000135514Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:19.522{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8E3F26063956CA8AD380329B2C06D1A,SHA256=3A2D47D949FFD680EFA9EEDD63AE78A226D8A9B63DF56F7E50C6DAF2338EE588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:19.241{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A52958A1C535F1E8C9DE8186F372A49C,SHA256=26A72AB287139E088F4E08DE40251B15C9DD842DC16D4498453C939C9B9E93BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135516Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:20.538{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5218FE9C9B23ACA7DA3AC9B72E8F29EF,SHA256=2D9B13D5DA1873B6239417B22D68137B833625FE8D7F36F1169A8641314A58D6,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000190527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.localInvDBSetValue2022-02-25 12:25:20.382{414E8EDF-B0B1-6218-1300-000000003702}620C:\Windows\System32\svchost.exeHKU\S-1-5-21-795933930-2430943309-2786954947-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\IDA Freeware 7.6\ida64.exeBinary Data 23542300x8000000000000000190526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:20.350{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCD3D1D8F0C18EB4D8A5C69B29D7AB48,SHA256=708B1BE4298BFC268058BF5F37609746FCF016E8A83A4F6C5DB76EED212A082C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:20.350{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2FA81E3E19A9D2721B61B736AFA6BEE,SHA256=A27CD42D3FB9897B9667CA25FC185ABDE161E0CD118114C9CC2CCE97D243E109,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:20.256{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCECA4E2B16145F441F3DD3BDDDE7FB8,SHA256=B68AF226766D1F33B74C37BFCDF188487B6C2077B55C9EED574DBC2451A96BA0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135515Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:18.693{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50991-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135517Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:21.553{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=151F18EA8C56051171631D75C551B99F,SHA256=56A0C8E7FEA14811EE185F5C861537A3F25275B7C2F739851403C104BC68FB23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:21.256{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3273956E820985BCB8F355D113A46BC3,SHA256=03724F6FDF6DCBFA94C267C5C9F5010EEC79520F934BDEDBED53980D970F7064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:22.272{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=513E33E61EF27783C43EA7EFBE61E9CA,SHA256=8E760ADE092450A834551C688B1896CC13FCC0F63E224D7F22F02C7EC9044D3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135518Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:22.584{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00B9F306C3CD85A42315C357ED37342B,SHA256=E7FAD4B32CAFE534B24F4D9D2145AD5E4CC59494ED8AB38C6448BFA305B6FF4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135519Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:23.647{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC01DE38C58B8B8F0E90BAFC5092E57A,SHA256=996B2A5677CA4667DAE8C8EA6BD2F7A0DB57E7DC6BE2D0F988303EDDD35D1E49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:23.272{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5A20E2F62414F7DB757042C5B5D46FA,SHA256=5EFC7A5BB3898F419F0C45105E9406AA270BF2E0F3CDC441892727E3C69ED2DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135520Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:24.678{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1016F7B2784CDEDBA1F21F61662A0E53,SHA256=2D3AB773F08971D045AD6EB7C75287002CC8598F630AF3EC31D4711C1C80A380,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:22.523{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52703-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000190532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:24.450{414E8EDF-B0BE-6218-2400-000000003702}2716NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0cad71091a725587e\channels\health\respondent-20220225103441-107MD5=E961008872A85D9E7B2EDCDB9076BE5A,SHA256=4C7B4263F3F8553ACCFCCC53A0FA56737D447810FFCB4A43A3BA8D688A9FDFED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:24.288{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=480B99FC2B4ADE60D2EB0EB3FD22EFDE,SHA256=B894E66A9276A98F6EC52E9F0F74CEF7E9DEC79E224B34520D721FFA0C363B85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135521Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:25.725{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E2302CEA9EBDD1B6D1897906E279A44,SHA256=C4DAF21CE94594F543EA45C6049ECDD8CB24E9962BF3E84EC25E1D3AE6503572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:25.528{414E8EDF-B0B1-6218-1100-000000003702}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=74185D3EECF435A357D10557EF4E3C3C,SHA256=6CFA2BA1FB723CDAB5DDEEB94B003B04221E6A68C2620C39D713F2BA60DC585B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:25.449{414E8EDF-B0BE-6218-2400-000000003702}2716NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0cad71091a725587e\channels\health\surveyor-20220225103439-108MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:25.291{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6152D9C1FADE18D9E6B6F6ED9F0950D,SHA256=507673838757D96F8497D5F6C7E0C0626E1A25A3793157B7AF1DA3636E1C80DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135524Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:26.819{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B89E9AFAA26A32CB8CF6DF9050F76997,SHA256=BCCC4B1DDEFC449A86FA902EDCDD4808112488E34DE708EFA98C3A248D7129C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135523Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:26.819{6AAC6DF5-B0B1-6218-1300-000000003802}108NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B6486BF6E3B547C3AAF02CF05150A83F,SHA256=CD2D7B97794447A12730FF5E81E678B079CAEEA2C6E7BBF20C26C11D41BD082E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:26.296{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=660E630C193650D437FAB2AB23602180,SHA256=3526AF581649C2F706F7430041E42D162B3E48124F3ABC445A84BC68B3274F5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135522Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:24.568{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50992-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135525Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:27.850{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=439EF87B253D2347954D2A27F788E126,SHA256=CF1A17E9D0D8148E2640D127C8D4092A60BFEC80D1C8099518F1B3BA3653C498,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:27.296{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE05B01DCE4CD964921ACEB6DFF0F915,SHA256=6A9D3100784DA00B99DD3DBAA020FDBA51126D483AF721BA2032B608B1283CE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135526Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:28.881{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9520FCAAE920D05E9B418A3B3F4D87D7,SHA256=0D4801F18F36A246067372FB97E6E80568FE8E747C48CD356CB2B3B8F45BEA77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:28.312{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8AEA2736574B3CB833BCEFEB7AFED87,SHA256=CC3B599913349D2C0DFEB6435209DA0AEBAADDA74E1EBF1EAC91EDBB1CF6D28E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135527Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:29.897{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FB11C810DCA965ABCA1D851B9EDDB30,SHA256=65A4D14C8EE90F76ECBE4193690596CF6FFECD3C5D265E8EF53D86CA5CCFDA31,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:27.641{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52704-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000190540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:29.328{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=018D3AFE217F49280B497CAC5831BB04,SHA256=BBEF83D1785D55158DB964BC3150A216D545039043E5246EF8EE753DBA86B3EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135539Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:30.975{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EC3BE6491E28FEBD660E419AF3F740A,SHA256=F5CA87681D3E5795BCEDDBF1782A78E7A1F2BE754621C11900D6BC42C2AEF308,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000190547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:25:30.500{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\6FC0DF5C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_6FC0DF5C-0000-0000-0000-100000000000.XML 13241300x8000000000000000190546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:25:30.500{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\5AC55B93-C186-4CC0-9DA1-B24F3F6A7ED5\Config SourceDWORD (0x00000001) 13241300x8000000000000000190545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:25:30.500{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\5AC55B93-C186-4CC0-9DA1-B24F3F6A7ED5\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_5AC55B93-C186-4CC0-9DA1-B24F3F6A7ED5.XML 10341000x8000000000000000190544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:30.484{414E8EDF-B0AE-6218-0B00-000000003702}6324172C:\Windows\system32\lsass.exe{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:30.484{414E8EDF-B0AE-6218-0B00-000000003702}6324172C:\Windows\system32\lsass.exe{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000190542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:30.328{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA3E409A8CF9043B97321E746AD98BA5,SHA256=8C9BF879472920F14EC44712018D2308FB512CC807D2C75FCF030A71C70BE6CE,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000135538Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-SetValue2022-02-25 12:25:30.381{6AAC6DF5-B0B0-6218-0B00-000000003802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000135537Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-SetValue2022-02-25 12:25:30.381{6AAC6DF5-B0B0-6218-0B00-000000003802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0065cce9) 13241300x8000000000000000135536Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-SetValue2022-02-25 12:25:30.381{6AAC6DF5-B0B0-6218-0B00-000000003802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d82a3a-0x64fdf239) 13241300x8000000000000000135535Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-SetValue2022-02-25 12:25:30.381{6AAC6DF5-B0B0-6218-0B00-000000003802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d82a42-0xc6c25a39) 13241300x8000000000000000135534Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-SetValue2022-02-25 12:25:30.381{6AAC6DF5-B0B0-6218-0B00-000000003802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d82a4b-0x2886c239) 13241300x8000000000000000135533Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-SetValue2022-02-25 12:25:30.381{6AAC6DF5-B0B0-6218-0B00-000000003802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000135532Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-SetValue2022-02-25 12:25:30.381{6AAC6DF5-B0B0-6218-0B00-000000003802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0065cce9) 13241300x8000000000000000135531Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-SetValue2022-02-25 12:25:30.381{6AAC6DF5-B0B0-6218-0B00-000000003802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d82a3a-0x64fdf239) 13241300x8000000000000000135530Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-SetValue2022-02-25 12:25:30.381{6AAC6DF5-B0B0-6218-0B00-000000003802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d82a42-0xc6c25a39) 13241300x8000000000000000135529Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-SetValue2022-02-25 12:25:30.381{6AAC6DF5-B0B0-6218-0B00-000000003802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d82a4b-0x2886c239) 23542300x8000000000000000135528Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:30.225{6AAC6DF5-B0B2-6218-2200-000000003802}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4A396A40DE4AD844AFDFD6BFEE34209D,SHA256=ABC582D2644B8C5C1CF17206963A01B55D9A40BBB1979B03D8F2D216AA803ABE,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000190577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:25:31.906{414E8EDF-B0AE-6218-0A00-000000003702}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\fndr\WOW64DWORD (0x00000001) 13241300x8000000000000000190576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:25:31.906{414E8EDF-B0AE-6218-0A00-000000003702}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\fndr\DisplayNamefndr 13241300x8000000000000000190575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.localT1031,T1050SetValue2022-02-25 12:25:31.906{414E8EDF-B0AE-6218-0A00-000000003702}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\fndr\ImagePath\??\C:\Windows\system32\Drivers\fndr.sys 13241300x8000000000000000190574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:25:31.906{414E8EDF-B0AE-6218-0A00-000000003702}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\fndr\ErrorControlDWORD (0x00000001) 13241300x8000000000000000190573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.localT1031,T1050SetValue2022-02-25 12:25:31.906{414E8EDF-B0AE-6218-0A00-000000003702}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\fndr\StartDWORD (0x00000003) 13241300x8000000000000000190572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:25:31.906{414E8EDF-B0AE-6218-0A00-000000003702}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\fndr\TypeDWORD (0x00000001) 10341000x8000000000000000190571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:31.906{414E8EDF-B0AE-6218-0B00-000000003702}632804C:\Windows\system32\lsass.exe{414E8EDF-CABB-6218-F103-000000003702}6068C:\Temp\c.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000190570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.localT10232022-02-25 12:25:31.906{414E8EDF-CABB-6218-F103-000000003702}6068C:\Temp\c.exeC:\Windows\System32\drivers\fndr.sys2022-02-25 12:25:31.906 924900x8000000000000000190569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:31.890{414E8EDF-CABB-6218-F103-000000003702}6068C:\Temp\c.exe\Device\HarddiskVolume1 11241100x8000000000000000190568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.localT10232022-02-25 12:25:31.890{414E8EDF-CABB-6218-F103-000000003702}6068C:\Temp\c.exeC:\Windows\System32\drivers\fndr2022-02-25 12:25:31.890 13241300x8000000000000000190567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:25:31.890{414E8EDF-CABB-6218-F103-000000003702}6068C:\Temp\c.exeHKLM\System\CurrentControlSet\Control\CrashControl\CrashDumpEnabledDWORD (0x00000000) 10341000x8000000000000000190566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:31.890{414E8EDF-B0AE-6218-0B00-000000003702}632804C:\Windows\system32\lsass.exe{414E8EDF-CABB-6218-F103-000000003702}6068C:\Temp\c.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:31.875{414E8EDF-B0AE-6218-0B00-000000003702}632804C:\Windows\system32\lsass.exe{414E8EDF-CABB-6218-F103-000000003702}6068C:\Temp\c.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000190564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:30.987{414E8EDF-B0B0-6218-0D00-000000003702}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:5147:9304:4b1c:595fwin-dc-tcontreras-attack-range-478.attackrange.local52705-truefe80:0:0:0:5147:9304:4b1c:595fwin-dc-tcontreras-attack-range-478.attackrange.local135epmap 354300x8000000000000000190563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:30.987{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5147:9304:4b1c:595fwin-dc-tcontreras-attack-range-478.attackrange.local52705-truefe80:0:0:0:5147:9304:4b1c:595fwin-dc-tcontreras-attack-range-478.attackrange.local135epmap 10341000x8000000000000000190562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:31.359{414E8EDF-B0AE-6218-0B00-000000003702}632684C:\Windows\system32\lsass.exe{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:31.359{414E8EDF-B0AE-6218-0B00-000000003702}6324172C:\Windows\system32\lsass.exe{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:31.359{414E8EDF-B0AE-6218-0B00-000000003702}6324172C:\Windows\system32\lsass.exe{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000190559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:31.359{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3DE23CBF695950E744A94A3B5661695,SHA256=AF337271ADC002832C6D0F0E68BA5693B8BD83821C3344B060F7DFD7AFF07190,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135541Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:29.740{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50994-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000135540Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:29.708{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50993-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x8000000000000000190558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:31.265{414E8EDF-B0B1-6218-1300-000000003702}6205536C:\Windows\System32\svchost.exe{414E8EDF-CABB-6218-F103-000000003702}6068C:\Temp\c.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000190557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.localInvDBSetValue2022-02-25 12:25:31.265{414E8EDF-B0B1-6218-1300-000000003702}620C:\Windows\System32\svchost.exeHKU\S-1-5-21-795933930-2430943309-2786954947-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\c.exeBinary Data 10341000x8000000000000000190556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:31.265{414E8EDF-B0B1-6218-1300-000000003702}620516C:\Windows\System32\svchost.exe{414E8EDF-CABB-6218-F103-000000003702}6068C:\Temp\c.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:31.265{414E8EDF-B0B1-6218-1300-000000003702}620516C:\Windows\System32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:31.265{414E8EDF-B0D7-6218-7600-000000003702}40043280C:\Windows\system32\csrss.exe{414E8EDF-CABB-6218-F103-000000003702}6068C:\Temp\c.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:31.265{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:31.265{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:31.265{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:31.265{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:31.265{414E8EDF-B0DB-6218-8600-000000003702}49565964C:\Windows\Explorer.EXE{414E8EDF-CABB-6218-F103-000000003702}6068C:\Temp\c.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a90ff|C:\Windows\System32\windows.storage.dll+a8d75|C:\Windows\System32\windows.storage.dll+a8866|C:\Windows\System32\windows.storage.dll+a9cd8|C:\Windows\System32\windows.storage.dll+a868e|C:\Windows\System32\windows.storage.dll+ab4a5|C:\Windows\System32\windows.storage.dll+ab824|C:\Windows\System32\windows.storage.dll+aae60|C:\Windows\System32\windows.storage.dll+ad68a|C:\Windows\System32\windows.storage.dll+ad442|C:\Windows\System32\SHELL32.dll+3fa6d|C:\Windows\System32\SHELL32.dll+3e606|C:\Windows\System32\SHELL32.dll+80381|C:\Windows\System32\SHELL32.dll+6731e|C:\Windows\System32\SHELL32.dll+18cf1c|C:\Windows\System32\SHELL32.dll+18cc73|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:31.266{414E8EDF-CABB-6218-F103-000000003702}6068C:\Temp\c.exe-----"C:\Temp\c.exe" C:\Temp\ATTACKRANGE\Administrator{414E8EDF-B0DA-6218-B7B0-070000000000}0x7b0b72HighMD5=3F4A16B29F2F0532B7CE3E7656799125,SHA256=1BC44EEF75779E3CA1EEFB8FF5A64807DBC942B1E4A2672D77B9F6928D292591,IMPHASH=FE4A2284122DA348258C83EF437FBD7B{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 924900x8000000000000000190600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:32.921{414E8EDF-CABB-6218-F103-000000003702}6068C:\Temp\c.exe\Device\HarddiskVolume1 924900x8000000000000000190599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:32.921{414E8EDF-CABB-6218-F103-000000003702}6068C:\Temp\c.exe\Device\Harddisk0\DR0 924900x8000000000000000190598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:32.921{414E8EDF-CABB-6218-F103-000000003702}6068C:\Temp\c.exe\Device\HarddiskVolume1 13241300x8000000000000000190597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.localT1031,T1050SetValue2022-02-25 12:25:32.921{414E8EDF-B0AE-6218-0A00-000000003702}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\VSS\StartDWORD (0x00000004) 13241300x8000000000000000190596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:25:32.921{414E8EDF-B0AE-6218-0A00-000000003702}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\VSS\TypeDWORD (0x00000010) 23542300x8000000000000000190595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:32.921{414E8EDF-CABB-6218-F103-000000003702}6068ATTACKRANGE\AdministratorC:\Temp\c.exeC:\Windows\System32\drivers\fndrMD5=A952E288A1EAD66490B3275A807F52E5,SHA256=E5F3EF69A534260E899A36CEC459440DC572388DEFD8F1D98760D31C700F42D5,IMPHASH=00000000000000000000000000000000falsetrue 924900x8000000000000000190594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:32.921{414E8EDF-CABB-6218-F103-000000003702}6068C:\Temp\c.exe\Device\HarddiskVolume1 12241200x8000000000000000190593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-DeleteKey2022-02-25 12:25:32.921{414E8EDF-CABB-6218-F103-000000003702}6068C:\Temp\c.exeHKLM\System\CurrentControlSet\Services\fndr 23542300x8000000000000000190592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:32.906{414E8EDF-B0B1-6218-1300-000000003702}620NT AUTHORITY\SYSTEMC:\Windows\System32\svchost.exeC:\Windows\Temp\UDDDE9E.tmpMD5=6106653B08F4F72EEAA7F099E7C408A4,SHA256=96B77284744F8761C4F2558388E0AEE2140618B484FF53FA8B222B340D2A9C84,IMPHASH=5BBA6EB3FCCAD3D563D56EF2D7E5D5E8truetrue 23542300x8000000000000000190591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:32.906{414E8EDF-B0B1-6218-1300-000000003702}620NT AUTHORITY\SYSTEMC:\Windows\System32\svchost.exeC:\Windows\Temp\UDDDE9E.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:31.848{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52706-false10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local389ldap 354300x8000000000000000190589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:31.848{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52706-false10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local389ldap 23542300x8000000000000000190588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:32.406{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5F43C885A90694A877E305FB082053C,SHA256=9D0872C8644F05E415C36BE631B96E5162F3BEA1A4115436BF01185397C1B73D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135542Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:32.069{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFBE2B7BFEA884B29E3C245B2ECC8751,SHA256=5C24DA41E9543FFAD83FE9AB88FB82098BE4D9446834F222C53F729D76EA8A1C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:32.390{414E8EDF-B0AE-6218-0B00-000000003702}632804C:\Windows\system32\lsass.exe{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:32.390{414E8EDF-B0AE-6218-0B00-000000003702}632804C:\Windows\system32\lsass.exe{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000190585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:32.281{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D63187EF08807D6694663CBA93E80BBB,SHA256=17048C3C4F9ED208041A24F61977DC06FF94D19574B67D9B69E8FFACCC17F0EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:32.281{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCD3D1D8F0C18EB4D8A5C69B29D7AB48,SHA256=708B1BE4298BFC268058BF5F37609746FCF016E8A83A4F6C5DB76EED212A082C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:32.281{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=615A7C6DC13F592D550B25217FD373E1,SHA256=E5A9AA5BD5AD1D9A3E0E9C731EE82876EBFBA5C18FB11C9C459D76A2B13DDC33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:32.281{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=158080E8F54489ECC3093BD9FCF8E6CB,SHA256=7C8F2001AB297469A1146AAE6C9F82588B01FC72E0F3CCA80375CCCE0258723B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:32.218{414E8EDF-B0AE-6218-0B00-000000003702}6324172C:\Windows\system32\lsass.exe{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:32.218{414E8EDF-B0AE-6218-0B00-000000003702}632804C:\Windows\system32\lsass.exe{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:32.218{414E8EDF-B0AE-6218-0B00-000000003702}632804C:\Windows\system32\lsass.exe{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 644600x8000000000000000190578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:31.906C:\Windows\System32\drivers\fndr.sysMD5=6106653B08F4F72EEAA7F099E7C408A4,SHA256=96B77284744F8761C4F2558388E0AEE2140618B484FF53FA8B222B340D2A9C84,IMPHASH=5BBA6EB3FCCAD3D563D56EF2D7E5D5E8false-Expired 23542300x8000000000000000190614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:33.937{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=615A7C6DC13F592D550B25217FD373E1,SHA256=E5A9AA5BD5AD1D9A3E0E9C731EE82876EBFBA5C18FB11C9C459D76A2B13DDC33,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:32.719{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52709-false10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local389ldap 354300x8000000000000000190612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:32.719{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52709-false10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local389ldap 354300x8000000000000000190611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:32.704{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52708-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000190610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:32.692{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52707-false23.37.43.27a23-37-43-27.deploy.static.akamaitechnologies.com80http 354300x8000000000000000190609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:32.673{414E8EDF-B0BE-6218-2A00-000000003702}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local49153- 23542300x8000000000000000190608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:33.421{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FB11AB3A3BC6C56A14B02BBD2CE547C,SHA256=23A8CB04288C1E100BF8D6DDE7ACED9F0B27B745BCD1EC705AB1AF5EEC4B15EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135543Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:33.100{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09760504DEB4E334737744B663C15AD0,SHA256=FFC8D1C84B610160D88559B0AB5AD441DA71526707AD825429D0D85CEDFF96D0,IMPHASH=00000000000000000000000000000000falsetrue 924900x8000000000000000190607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:33.359{414E8EDF-CABB-6218-F103-000000003702}6068C:\Temp\c.exe\Device\HarddiskVolume1 13241300x8000000000000000190606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:25:33.359{414E8EDF-CABB-6218-F103-000000003702}6068C:\Temp\c.exeHKU\S-1-5-21-795933930-2430943309-2786954947-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTipDWORD (0x00000000) 13241300x8000000000000000190605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:25:33.359{414E8EDF-CABB-6218-F103-000000003702}6068C:\Temp\c.exeHKU\S-1-5-21-795933930-2430943309-2786954947-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColorDWORD (0x00000000) 13241300x8000000000000000190604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:25:33.359{414E8EDF-CABB-6218-F103-000000003702}6068C:\Temp\c.exeHKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTipDWORD (0x00000000) 13241300x8000000000000000190603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:25:33.359{414E8EDF-CABB-6218-F103-000000003702}6068C:\Temp\c.exeHKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColorDWORD (0x00000000) 13241300x8000000000000000190602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:25:33.359{414E8EDF-CABB-6218-F103-000000003702}6068C:\Temp\c.exeHKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTipDWORD (0x00000000) 13241300x8000000000000000190601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:25:33.359{414E8EDF-CABB-6218-F103-000000003702}6068C:\Temp\c.exeHKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColorDWORD (0x00000000) 23542300x8000000000000000190615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:34.437{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=835BC1774EDF5DE6879C6FDCBE47B6A3,SHA256=89CBE7AE7C50244404AB8264E7F4AE95A7B723B368D1462F5D44A16F234D9F5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135544Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:34.163{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C85C8486E20F3F4F9FDFFE7C150BBA2,SHA256=50FAF55226C6C55AF7B1E979F486E3B8B45898470522CDAF924CB4373FA5FD59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:35.437{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD7517E7D56ECE86F9DE7ED002FA4E84,SHA256=51C6FCAC46F8BD90AA02D06B070E69A73A8DA2DE0F5EFAD08404262983C4FE23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135545Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:35.194{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22CCD98607AA5ABE9DD87C906BA48ED2,SHA256=E0407E53BB0D183ECC77840361C15ED1CC1F59D500F47E2637C0D9F88A03789B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:36.453{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B36E1F12142255B79D13212C4EC8044,SHA256=915A449A1784CB90F6C8190473C7F306525E3D73109B38BAE8B13937DB5047FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135546Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:36.209{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4371C2FE2B7299F12C5D6EB757203FB7,SHA256=BB0FB1E83A208EEE64B1221F933696C3B748D944ABAA903D2704E0431C87C49C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:37.453{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58779B01434344781D5C822367BE55D6,SHA256=45A6F024DCD20BA4A314D495EC4EC2BFBBB48276D499A83B4126609D10E1E462,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135548Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:35.677{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50995-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135547Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:37.256{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BBC762107363B3559729E42766F1D22,SHA256=712245F94701F348ED70BB5696456F44C9A9B4910AB3C3ACE061605D282D4C7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:38.625{414E8EDF-B0BE-6218-2900-000000003702}2792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4A396A40DE4AD844AFDFD6BFEE34209D,SHA256=ABC582D2644B8C5C1CF17206963A01B55D9A40BBB1979B03D8F2D216AA803ABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:38.468{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DEAE501F5BE90752CF347CAAAB896C9,SHA256=7E892C1E5FC2A7C8999781A0CB95A5241C1E2A7D61F14FCC3FA021D5D1379FFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135549Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:38.256{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B5EA3013084B9C7349E4B2DABFFF774,SHA256=70C26A9556C40E942C12B7261B36B820A4E7DD0BC8DC5B17E2F7DC3995F3ED1B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000190625Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.localInvDB-VerSetValue2022-02-25 12:25:38.437{414E8EDF-B0B1-6218-1300-000000003702}620C:\Windows\System32\svchost.exe\REGISTRY\A\{f89ad7a0-9b1c-d300-945e-fd668b07907f}\Root\InventoryApplicationFile\c.exe|73a9afb12ed81a4e\BinProductVersion(Empty) 13241300x8000000000000000190624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.localInvDB-CompileTimeClaimSetValue2022-02-25 12:25:38.437{414E8EDF-B0B1-6218-1300-000000003702}620C:\Windows\System32\svchost.exe\REGISTRY\A\{f89ad7a0-9b1c-d300-945e-fd668b07907f}\Root\InventoryApplicationFile\c.exe|73a9afb12ed81a4e\LinkDate02/23/2022 09:48:53 13241300x8000000000000000190623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.localInvDB-PubSetValue2022-02-25 12:25:38.437{414E8EDF-B0B1-6218-1300-000000003702}620C:\Windows\System32\svchost.exe\REGISTRY\A\{f89ad7a0-9b1c-d300-945e-fd668b07907f}\Root\InventoryApplicationFile\c.exe|73a9afb12ed81a4e\Publisher(Empty) 13241300x8000000000000000190622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.localInvDB-PathSetValue2022-02-25 12:25:38.421{414E8EDF-B0B1-6218-1300-000000003702}620C:\Windows\System32\svchost.exe\REGISTRY\A\{f89ad7a0-9b1c-d300-945e-fd668b07907f}\Root\InventoryApplicationFile\c.exe|73a9afb12ed81a4e\LowerCaseLongPathc:\temp\c.exe 924900x8000000000000000190621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:38.421{414E8EDF-B0B1-6218-1300-000000003702}620C:\Windows\System32\svchost.exe\Device\Harddisk0\DR0 924900x8000000000000000190620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:38.421{414E8EDF-B0B1-6218-1300-000000003702}620C:\Windows\System32\svchost.exe\Device\HarddiskVolume1 13241300x8000000000000000190619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.localInvDBSetValue2022-02-25 12:25:38.406{414E8EDF-B0B1-6218-1300-000000003702}620C:\Windows\System32\svchost.exeHKU\S-1-5-21-795933930-2430943309-2786954947-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\c.exeBinary Data 354300x8000000000000000190629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:38.735{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52710-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000190628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:39.515{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=595DEA5C0AE2F05BE8984E7B737F899F,SHA256=C60313EAED71D9C584CCB33B2309F1924C9A580319505650C6387FB5975CCE6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135550Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:39.303{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB4A2E3D472C4373242300140BB47F00,SHA256=67A8F7C9CB9F0B9522D371F41C82FB27F18EBB4E6E8ED7A2D70DB071F239BB62,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:39.110{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52711-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000190630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:40.547{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12FC6E526A521706A6176910ADC0F8C6,SHA256=751AF60A898AAE408554CE51A7CC258BAF00F65FB8FCC53A3DC1651579F7C5C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135564Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:40.663{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CAC4-6218-9E03-000000003802}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135563Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:40.663{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135562Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:40.663{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135561Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:40.663{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135560Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:40.663{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135559Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:40.663{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135558Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:40.663{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135557Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:40.663{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135556Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:40.663{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135555Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:40.663{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135554Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:40.663{6AAC6DF5-B0AF-6218-0500-000000003802}424540C:\Windows\system32\csrss.exe{6AAC6DF5-CAC4-6218-9E03-000000003802}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000135553Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:40.663{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CAC4-6218-9E03-000000003802}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000135552Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:40.663{6AAC6DF5-CAC4-6218-9E03-000000003802}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000135551Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:40.334{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE28B0E16DE27B6524B4D9BC347C2D33,SHA256=DEF5A827FB9FED62C3FAD83CE46340ECA82FEB4516C14897081A8777797843E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135594Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:41.834{6AAC6DF5-CAC5-6218-A003-000000003802}12483684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000135593Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:41.694{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F0D22C42E9BE4A27E2543376B637EB9,SHA256=958BB61F2A48026C33637BF5A9EEF5A530E61F92BFD3414379FDE007A7F8CF01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135592Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:41.694{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=719F24F1E603F406ED841472E54A5FCE,SHA256=20820987CE9964566FA8836926914F27FA2B87625B8892F1D4D3EE4A3DE7C195,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135591Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:41.663{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CAC5-6218-A003-000000003802}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135590Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:41.663{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135589Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:41.663{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135588Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:41.663{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135587Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:41.663{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135586Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:41.663{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135585Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:41.663{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135584Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:41.663{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135583Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:41.663{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135582Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:41.663{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135581Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:41.663{6AAC6DF5-B0AF-6218-0500-000000003802}424440C:\Windows\system32\csrss.exe{6AAC6DF5-CAC5-6218-A003-000000003802}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000135580Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:41.663{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CAC5-6218-A003-000000003802}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000135579Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:41.664{6AAC6DF5-CAC5-6218-A003-000000003802}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000135578Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:41.522{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EDF4C7B22204E5C01C37D16E002FD6B,SHA256=1D8B983B495A2B2DE6726F0DA81D789198A02B1EF4862F12138F5E6BA28299FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:41.562{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DF0D325B25B7E2D1A636956A053EA2D,SHA256=EDF2D37FFB0A36745500610E2ED69A0248B150D20C705FBA9E76CD8CDB8B9AC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135577Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:41.163{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CAC5-6218-9F03-000000003802}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135576Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:41.163{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135575Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:41.163{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135574Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:41.163{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135573Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:41.163{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135572Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:41.163{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135571Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:41.163{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135570Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:41.163{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135569Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:41.163{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135568Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:41.163{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135567Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:41.163{6AAC6DF5-B0AF-6218-0500-000000003802}424440C:\Windows\system32\csrss.exe{6AAC6DF5-CAC5-6218-9F03-000000003802}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000135566Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:41.163{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CAC5-6218-9F03-000000003802}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000135565Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:41.164{6AAC6DF5-CAC5-6218-9F03-000000003802}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000135595Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:42.538{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63986D9816A7B39A6326ED5C83A131CC,SHA256=350B8B914B0127F7435E28941BC4AC0684726B0C7B2000DFD99F9A200B64BDF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:42.593{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F67997759E01A1C2368ECA6497363C87,SHA256=AF8A44BFAA7732039E536088F85416602E6AD08D23F060D48B009670FC37BAA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:43.625{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2638807D6C274B581E3E9FC4550AE101,SHA256=2FEB9439054D199D4E772549FCFB2FBEE68F89FAD7C8759017A9968A683C3AEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135597Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:41.693{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50996-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135596Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:43.553{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04D9FAA1B63FE216303ACF3A66F1BC1D,SHA256=60680CC649D4C07F8BE272B1C541AED04A0FC1482B79EC7490ECFC27BE5EEB82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:44.640{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95211CD05D815898A20A17752FC4DE49,SHA256=82D95C909FF10FF137356F692AE717DFF25B542D629A53C310765700E2CBCE02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135612Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:44.915{6AAC6DF5-CAC8-6218-A103-000000003802}2296748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135611Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:44.616{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CAC8-6218-A103-000000003802}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135610Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:44.616{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135609Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:44.616{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135608Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:44.616{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135607Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:44.616{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135606Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:44.616{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135605Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:44.616{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135604Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:44.616{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135603Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:44.616{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135602Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:44.616{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135601Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:44.616{6AAC6DF5-B0AF-6218-0500-000000003802}4241012C:\Windows\system32\csrss.exe{6AAC6DF5-CAC8-6218-A103-000000003802}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000135600Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:44.616{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CAC8-6218-A103-000000003802}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000135599Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:44.617{6AAC6DF5-CAC8-6218-A103-000000003802}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000135598Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:44.553{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E27810943DB961D937EAC6DD74052CD5,SHA256=1E5F730CCBF40C812F436B4E619B82E30B88ADB1588E232D692E0BED5A44B740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135628Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:45.803{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F0D22C42E9BE4A27E2543376B637EB9,SHA256=958BB61F2A48026C33637BF5A9EEF5A530E61F92BFD3414379FDE007A7F8CF01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135627Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:45.788{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F07119C51B397F4EF7F4F8D0EEE7744,SHA256=81CEBBF2E75F7F73B8E7D62AD246E9D21F278A0D22513D4EC68BB684D85D14AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:44.625{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52712-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000190636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:45.656{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF0C82C36808D4391868C95407BCF091,SHA256=2B5F927FFD7B61FCF70DBC8F21AD581D21D6764E570469E9B44D01D47B3427EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135626Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:45.522{6AAC6DF5-CAC9-6218-A203-000000003802}9203208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135625Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:45.288{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CAC9-6218-A203-000000003802}920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135624Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:45.288{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135623Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:45.288{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135622Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:45.288{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135621Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:45.288{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135620Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:45.288{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135619Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:45.288{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135618Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:45.288{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135617Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:45.288{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135616Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:45.288{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135615Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:45.288{6AAC6DF5-B0AF-6218-0500-000000003802}4241012C:\Windows\system32\csrss.exe{6AAC6DF5-CAC9-6218-A203-000000003802}920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000135614Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:45.288{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CAC9-6218-A203-000000003802}920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000135613Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:45.288{6AAC6DF5-CAC9-6218-A203-000000003802}920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000135642Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:46.959{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CACA-6218-A303-000000003802}1392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135641Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:46.959{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135640Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:46.959{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135639Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:46.959{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135638Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:46.959{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135637Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:46.959{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135636Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:46.959{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135635Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:46.959{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135634Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:46.959{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135633Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:46.959{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135632Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:46.959{6AAC6DF5-B0AF-6218-0500-000000003802}4241012C:\Windows\system32\csrss.exe{6AAC6DF5-CACA-6218-A303-000000003802}1392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000135631Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:46.959{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CACA-6218-A303-000000003802}1392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000135630Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:46.960{6AAC6DF5-CACA-6218-A303-000000003802}1392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000135629Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:46.819{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2B125B96CF3451BF92A585BCD02BBF0,SHA256=CB588DBC7AD5458E0C93807786CB80D814EBA63D46A2D3B36348104FDF3A1A99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:46.672{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7931214929E75322CF821EFBB828C5B,SHA256=53BE1E511F3D07F356A79F2A62A4D562453BA5C7C03AA4D1D2766B80ECB3613A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135645Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:47.959{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C35D7BF7ADB3B4115F29825AC600DE9,SHA256=BCFCD84874003386909046781951C0E2479F66C001C75FD8EEC078F67C353632,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135644Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:47.834{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8CAEDA958334662E5A5B9CBD9B6108D,SHA256=8DE8B30E72CA4BEB3CBBF6A44B4C240C05B953724C7A758D03D7738BF7EFBC21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:47.718{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9D665F87129F47D65666C380F673DB8,SHA256=7A2D304ECDA03A811BF706A06FEC3F3A7DC6EC10D193D6ABE602C4C83112E94F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135643Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:47.147{6AAC6DF5-CACA-6218-A303-000000003802}1392600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000135659Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:48.850{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AAD8F5F864E77016483B72806FB3E03,SHA256=FAF8DDBFA4B96E18478A504BEBC9C1A51BBC6D431269DC8F1B673B21E1C46AC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:48.734{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E291B6AB4BE09573902E6CC0202D5DD,SHA256=912118FF488DABB14027021E958A877296B00CCA56F7288BA77270993A8CF62B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135658Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:48.100{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CACC-6218-A403-000000003802}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135657Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:48.100{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135656Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:48.100{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135655Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:48.100{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135654Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:48.100{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135653Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:48.100{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135652Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:48.100{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135651Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:48.100{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135650Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:48.100{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135649Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:48.100{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135648Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:48.100{6AAC6DF5-B0AF-6218-0500-000000003802}424540C:\Windows\system32\csrss.exe{6AAC6DF5-CACC-6218-A403-000000003802}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000135647Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:48.100{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CACC-6218-A403-000000003802}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000135646Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:48.102{6AAC6DF5-CACC-6218-A403-000000003802}2320C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000190641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:49.750{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DEAE48142F0DE6A848F098728E5B9C5,SHA256=0EFBF9FC40BFDC638445ADBE98322507A8A8DF4DE182D0618838F88E6AC550FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135661Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:49.866{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62FC87A72001E40FF9F4B89F1699F4D1,SHA256=98D5AFE66950005D427A67B40ACF7DED838190B205D46C13E054B0425FF14E6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135660Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:49.131{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41AC774E3526D49780D926F3B97A8456,SHA256=5FF07185178396F168F53EAD71DAA714DA05C3792C3954CBC9F7A0130D7D09EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135663Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:50.881{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28FCB66098F767909A6096245BB02034,SHA256=33DBE69CE8BFD29D2685030EAFE590501FB14131F9FB5997840D6937B0EBC667,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190650Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:50.813{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2EEC0E961922D2BE5E7804F0ABD4C44,SHA256=A41AB3F8DEB0A33B190DAF0EB57F9E7166958A6B650F3B980EBD84ECA3DB75B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190649Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:50.375{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CACE-6218-F203-000000003702}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190648Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:50.375{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190647Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:50.375{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190646Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:50.375{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:50.375{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:50.375{414E8EDF-B0AE-6218-0500-000000003702}416372C:\Windows\system32\csrss.exe{414E8EDF-CACE-6218-F203-000000003702}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:50.375{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CACE-6218-F203-000000003702}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:50.376{414E8EDF-CACE-6218-F203-000000003702}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000135662Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:47.724{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50997-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135664Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:51.897{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=078D6D8DF1E2CD9CF55535D4919B5771,SHA256=C0B3B5E4A45A08A1F2B591830FB886C97255D47F27A184162E59B40411B64647,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190671Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:51.968{414E8EDF-CACF-6218-F403-000000003702}58125052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000190670Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:51.843{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3531F6802F46A750581629BDB7E24313,SHA256=04211A58E79FA2318D4789616ADC5C6E0BA35D73BC3068230D08D2A5694810B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190669Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:51.781{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CACF-6218-F403-000000003702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190668Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:51.781{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190667Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:51.781{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190666Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:51.781{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190665Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:51.781{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190664Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:51.781{414E8EDF-B0AE-6218-0500-000000003702}4165324C:\Windows\system32\csrss.exe{414E8EDF-CACF-6218-F403-000000003702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190663Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:51.781{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CACF-6218-F403-000000003702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190662Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:51.782{414E8EDF-CACF-6218-F403-000000003702}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000190661Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:51.500{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD53D1EE0661FA9733A9234929E774E3,SHA256=C9520D5FDF531FA40CBA6AA6923EFC404572D0B401996ED7E7602FB6350A575E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190660Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:51.500{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D63187EF08807D6694663CBA93E80BBB,SHA256=17048C3C4F9ED208041A24F61977DC06FF94D19574B67D9B69E8FFACCC17F0EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190659Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:51.265{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CACF-6218-F303-000000003702}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190658Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:51.265{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190657Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:51.265{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190656Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:51.265{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190655Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:51.265{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190654Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:51.265{414E8EDF-B0AE-6218-0500-000000003702}416432C:\Windows\system32\csrss.exe{414E8EDF-CACF-6218-F303-000000003702}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190653Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:51.265{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CACF-6218-F303-000000003702}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190652Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:51.266{414E8EDF-CACF-6218-F303-000000003702}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000190651Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:49.703{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52713-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135665Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:52.991{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93BF5524EFC6277A48A2AE5551651B10,SHA256=7E9E46CF14C12F72B30C7A9D0EFDA0D9263E03E0BA467F77691F13AB33D9BEC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190681Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:52.859{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E48F5BC7CE9B8FC6C3620C2B00AC807E,SHA256=E0A221ED072A5FF15221D2FE114E57D2A1ACF42DF7647C7ABCAF093984B16852,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190680Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:52.640{414E8EDF-CAD0-6218-F503-000000003702}42084576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190679Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:52.453{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CAD0-6218-F503-000000003702}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190678Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:52.453{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190677Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:52.453{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190676Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:52.453{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190675Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:52.453{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190674Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:52.453{414E8EDF-B0AE-6218-0500-000000003702}416372C:\Windows\system32\csrss.exe{414E8EDF-CAD0-6218-F503-000000003702}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190673Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:52.453{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CAD0-6218-F503-000000003702}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190672Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:52.454{414E8EDF-CAD0-6218-F503-000000003702}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000190701Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:53.875{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84F40B1D786D448081A8032F67ACAE9F,SHA256=E38EF5136BE251561BF1F8E9397550037F5BD22ED83950A6F30266A8E1425825,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190700Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:53.859{414E8EDF-CAD1-6218-F703-000000003702}52925296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190699Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:53.672{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CAD1-6218-F703-000000003702}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190698Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:53.672{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190697Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:53.672{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190696Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:53.672{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190695Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:53.672{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190694Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:53.672{414E8EDF-B0AE-6218-0500-000000003702}416432C:\Windows\system32\csrss.exe{414E8EDF-CAD1-6218-F703-000000003702}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190693Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:53.672{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CAD1-6218-F703-000000003702}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190692Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:53.672{414E8EDF-CAD1-6218-F703-000000003702}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000190691Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:53.172{414E8EDF-CAD1-6218-F603-000000003702}59003400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000190690Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:53.015{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD53D1EE0661FA9733A9234929E774E3,SHA256=C9520D5FDF531FA40CBA6AA6923EFC404572D0B401996ED7E7602FB6350A575E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190689Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:53.000{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CAD1-6218-F603-000000003702}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190688Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:53.000{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190687Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:53.000{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190686Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:53.000{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190685Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:53.000{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190684Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:53.000{414E8EDF-B0AE-6218-0500-000000003702}416372C:\Windows\system32\csrss.exe{414E8EDF-CAD1-6218-F603-000000003702}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190683Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:53.000{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CAD1-6218-F603-000000003702}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190682Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:53.001{414E8EDF-CAD1-6218-F603-000000003702}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000190705Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:54.875{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE440E994A6DCDAF2BBBB3436D5D5C38,SHA256=A56FED3E328AD739E37D7F1109D556511428A474E33B1EB2D8BE11CE17A81351,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135666Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:54.069{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=609E4D3FDD157FA1721EEC675B41EB22,SHA256=D267DEE95136C6CA7B9E67667CD5AC0130EA6E50F74BE30D15301E6B950107E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190704Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:54.719{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0065F6E741E5AEE120C94733EF5CD1F8,SHA256=6F2ACC850A92AD06EA0D4FEBCD686546F1743F625830283A4A408162661669E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190703Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:52.907{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local52714-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local389ldap 354300x8000000000000000190702Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:52.907{414E8EDF-B0BE-6218-2B00-000000003702}2820C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local52714-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local389ldap 23542300x8000000000000000190706Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:55.906{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C4808DB1A0C1C7C1A81787E5D4FD887,SHA256=21C9357BC6B59DE09AEE55A348C9FCF4C0B6175AEA56BB1933188D55BDE2542B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135668Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:53.599{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50998-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135667Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:55.084{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D2E15DFCE44CBB0D710F3870226243A,SHA256=43E074F3DFFEE74C5AD731656DD1716219249316057BD610E05C19D0974EE4C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135669Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:56.116{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43EC9D7C7AE32D10346C89E803B6E4E0,SHA256=F613D910E0900FCD11F6A5C4A948163D99C198315D8334438B05596225F3E809,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190715Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:56.844{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CAD4-6218-F803-000000003702}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190714Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:56.844{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190713Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:56.844{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190712Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:56.844{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190711Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:56.844{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190710Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:56.844{414E8EDF-B0AE-6218-0500-000000003702}416532C:\Windows\system32\csrss.exe{414E8EDF-CAD4-6218-F803-000000003702}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190709Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:56.844{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CAD4-6218-F803-000000003702}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190708Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:56.844{414E8EDF-CAD4-6218-F803-000000003702}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000190707Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:54.703{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52715-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135670Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:57.147{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7612AF56D41CF24D250FA555DDF51C7D,SHA256=8FBB6C5EA42BA85C0513C2E147331A74B0D19CCD465AF951F5F29495ED1EF6A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190717Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:57.859{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53C2748F5EC3F7973B9C7528CA92C44D,SHA256=AF05E6E08834204C19E88BCF14D54FF2D23BD285F43B1FE059A04C890442DC28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190716Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:57.062{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9026D1FF07DBB10981534CAD0309508F,SHA256=17659A6C1ADF8219F187D34FD18E9AF465D6AA0D08FB22068D7F6A386C6510F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135671Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:58.178{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73E8957F6CFA1474B4E4BD1E97480A9C,SHA256=227CED0F119679626F756AC209D5E9C48FF039AA22F6E2988289C77335B873FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190718Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:58.062{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F9A24AC722ACE0549DE9D8109618505,SHA256=5EA5E8F36470133C10409AB524EEF4F5EFB6B8101138E42DACEE0B683F0F5271,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135672Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:59.225{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87BF05A33426B5DA0DBDCAD05F6A3CFB,SHA256=1D2A3A99EE07989145CA63763CC19C78CF24D119D6D8FFCA9BFDBDB4D53AD9C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190719Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:25:59.078{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB80280A6474B0586BC12A183182A460,SHA256=1A6FB2DAFC43994E976AB40EE6BD1DE045CF50A9EDE6FFA1BDB3EBD1F4482BEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190720Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:00.094{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18A667E87CFE0C8D007C66F72EFEFDDA,SHA256=10C8A478B6544B1829C40EAADB0EF05F021EDEF421C9973DF34D7F7DA6F54FB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135673Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:00.272{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D3F44572A537A1EB2B1FA867326F112,SHA256=A1DFAF577EFEF1B759434B306852E70F3EAE3843B864CE6EE42943EB69177A89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190721Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:01.328{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B2205C4309C36D0070C7E19638E4D19,SHA256=35C5284317E14348B50EABAA39B0436F4FA1F279A0A3700A197BE3737229B561,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135675Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:25:59.521{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50999-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135674Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:01.303{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82C4D638C82CEECA1FCE7623FA84FBCE,SHA256=4A4877F00B42812BCE0FE7D7684E948837E70754DD99723F62AF333B85DFE5C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135676Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:02.319{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33514430C302BE5365ACE1B8C0E7997B,SHA256=96689B8E0BE46A4112AF0772516218E48DE20827D8DEC2929672025857A0F8A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190723Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:02.375{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C72A8E3610C8DC893C78884BA6D3B46,SHA256=947B4570B4999B5F55C92A4F62E5DDBCC1F0857B4B9372886684FE7B17908247,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190722Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:00.672{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52716-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135677Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:03.350{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E7DBC30284FA585120C03183E4170F2,SHA256=5F9BB85012A996952D9091B28FC758717CDEA2424BD5B17EB33FE8F45A4FE8C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190724Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:03.375{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=695F6758F2948840690691EAE2CA27F8,SHA256=69C51EB6091EA2AEC499E2656DBD1D7B1E88FB7E942A6A2ED1FEBED1D6AD6303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135678Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:04.397{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=544FA9EBEAA8DD2CF586D4FEF1D75B1A,SHA256=5668D28A0C77236DB669B1AD2C53A61FF96761E86066AA89E45BD693EC7978D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190725Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:04.531{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AAB0E023793E3A71A72FC6B15667B3F,SHA256=CF8F2958436E8C3F89D59821FA89C1581325A2E79D6C01A6D33F4759BA113EBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190726Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:05.547{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=053BB439C51FF246EBE6F281651D7ADA,SHA256=E547BEFA5633778590021E445D3FE7834B0A5215DAB728A353676C16762A8F57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135679Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:05.428{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0348C3E1EA9DFA9001C31BA64E360DE6,SHA256=2F848543C4383CDEA0D0605FFED4F03346F7CCC752D414B81C82C0726EBFB97B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190727Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:06.562{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF63F74FB05AD1E7BEE23E4629C5649E,SHA256=30E3A78BEF3DD0F716014D5D72092EFAC8103FB8CC911954B6A7A9D95AC2365B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135681Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:04.740{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal51000-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135680Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:06.444{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E03DA1F233052E2F9937F97A55580360,SHA256=78EC655CBA05A24943D42A9F4EE1D403CDFED995432709ACD46D4EA5E7244BF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135682Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:07.459{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39C18D24938F85316C8455E9CF707668,SHA256=4FB134292ED74187F7A25CC93219B85FB536D6DD743F6585247EC1EBE7AB2C10,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:07.062{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:07.062{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:07.062{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:07.062{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:07.062{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:07.062{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:07.062{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:07.062{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:07.062{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190756Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:07.062{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8A00-000000003702}4764C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190755Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:07.062{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8A00-000000003702}4764C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190754Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:07.062{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8A00-000000003702}4764C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190753Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:07.062{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190752Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:07.062{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190751Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:07.062{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190750Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:07.062{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190749Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:07.062{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190748Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:07.062{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190747Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:07.062{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190746Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:07.062{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190745Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:07.062{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190744Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:07.062{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190743Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:07.062{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190742Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:07.062{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190741Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:07.062{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190740Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:07.062{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190739Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:07.062{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190738Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:07.062{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190737Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:07.062{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190736Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:07.062{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190735Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:07.062{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190734Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:07.062{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190733Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:07.062{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190732Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:07.062{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190731Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:07.062{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190730Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:07.062{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190729Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:07.062{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190728Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:07.062{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000135683Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:08.584{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFED7F07FE8B800CE471311FD4EACD25,SHA256=C21089C6830658BDEEF8C033021F618BD8F473BA4B041E2E6DC59FC354691F24,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:06.594{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52717-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000190766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:08.078{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E77E0370839BCB6D478D70453F583C70,SHA256=649C88235B500138CB9ECB0099E424392D870213E2D65C4153F8C11C7793736F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135684Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:09.616{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDF4AADB16BB9ECCC7CFD5AC1481CED1,SHA256=7AAF5C37B8BD20E5309D2E5527AAAA1DCF8CD7B165EC6335D483759B80999D7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:09.125{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A14C95882338551534D8B586306057EA,SHA256=278DFF6B4F8009AE59E4F4EDB1948F23FF0CB98438C7B954CD18CA2290E95B00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135685Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:10.616{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48D76BAC4E9E4618F5A85ACF356E8638,SHA256=CCA0079B4A92A6C6AC68D250C383A67963F517D9988BDAF9C5E442422A01DF04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:10.156{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59FC31CDAEB0204122405B2E14C71E2A,SHA256=366163F6911C714AD53B8AB5D20DD25898F62D7DA26ED74CE85E5F6E876B0519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135686Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:11.662{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20449941AA37D56B91B6777B56F18AB5,SHA256=494A24E4AF45A0ED98180381EF72F6272C0BFC9831EA50CFD9B9E828D0F860C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:11.172{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB57DD59402B8CE43A87B8347C205993,SHA256=8BC6E4C0E18B4C582A7BDE3331410F482B1E053009A995D07A8E8DB6D048C858,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135687Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:12.662{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=874E9C79FC5E73F4769B7F1A5DF1A651,SHA256=57539B6149BBCC89B4A4CFFB085C7DF1677B21E8847C709CE2033E647A9501C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:12.172{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ADAD208C9C76E55ABE82CA10EEF6DB1,SHA256=DC30DF44A56FF485BBB1CE72B15775B328DAAB1388DBEA68B01202878FF7B480,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135689Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:13.741{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E4718726586F8E3878DD9DD5E85E551,SHA256=1E2CB23F0D79F2B648CE29212E540FFDCBE350C01356DCC712E52ABA6028E270,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:11.704{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52718-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000190772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:13.187{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15153ACCE4AB4571C966480825292B13,SHA256=5388AC35B014D3916E23A4E185ACCBBDB6A782093DBE461D84493C21B4FFCDC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135688Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:10.739{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal51001-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135690Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:14.773{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F8CD92A31E5EEA40EB60C63CA8759AE,SHA256=19A6C0D7BE97588DB883141B67078D874D2F53CE7A92715E4CE7B17CD98D86E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:14.203{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D12901E9815C1C0769D5F2595120582,SHA256=DD4B9412329542056CA23B021780CFC62BCECCFDC50D9D9096DE18FEE7CDC8E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135692Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:15.804{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A111451924CB09474A812E8644AB5592,SHA256=03AE3D2A7F886DB4B69182146DB3E43D7380939E6A4AD229456CFE4DE87D669B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:15.234{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D86B73CFA67C5E99BE36F4034C1BD641,SHA256=7ACB64947ECC51FEEDDB5B70E01466B4E4600AEDB2893E3F0B6E07228395CCAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135691Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:15.183{6AAC6DF5-B0B2-6218-1D00-000000003802}1952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d7ccee276d30a4b6\channels\health\respondent-20220225103429-108MD5=FBD42F5F8AA0DC0DD6067820063FF10B,SHA256=AAA41009555F09EFB0ED817562D7125DD50A33AE671816E82835424EE5CAE232,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135694Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:16.820{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40BBFEE3738E057A276220A01F1A82C8,SHA256=D0F2BD278BD06A6FAA601909930C94186383011D3928AA29699479F2FACE535C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:16.251{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E3EECD6802CA36471A2E66208B9D1B6,SHA256=E6E08B04DB59A5EA1C499628A5862D8896972B53E3624B6547006CDE0C85FA91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135693Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:16.196{6AAC6DF5-B0B2-6218-1D00-000000003802}1952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d7ccee276d30a4b6\channels\health\surveyor-20220225103427-109MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135695Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:17.820{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E33A79167C29129ACD9C57E51F034F9,SHA256=E79213433D32D1718A4A86560D37ED42EF5C9274289B59CB91F91B2086F26C2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:17.297{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30FF1EA3A9BF01C22963F6156B9A941E,SHA256=BB423152BB527B296FB69BB7DA9BDAB8CD48A3CA6ADA0B59208535A837368328,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135696Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:18.851{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1DEC91ADEBA8F90D277B96E4B016998,SHA256=DD643F94E1D4672A5C6E58AD7E6036EF02123720A85E988A0BC872FAE57EC793,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:17.719{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52719-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000190778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:18.312{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADF0BA52A64BCED68BB3EDE094BF387E,SHA256=860BD369C2DC0ADD4BBD20664808B5711227512CC7AE212D93411B204187B1C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135698Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:19.913{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32D7C9CDD2EAF1A2A3F4634F9FD184BD,SHA256=EACE2B214A5CDBA1F8AB5D55261282AE0F0753314783F26E0C92029228F1CE76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:19.328{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D14573376EBB5006E7249C87E25B54A,SHA256=73B3C8D6A5B44B7DC6113F87E77A759EA471F0B7C550D544DF66E9A8343AD150,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135697Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:16.695{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal51002-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135699Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:20.960{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF222DF5740A68DA345AD9A8B2C70DE1,SHA256=A4A78F9C2CC45D62BD37EFBF7ED723DA7D11B4FD5F0186751551F7A51B2AD99D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:20.562{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11ED16F55E10BE0E5015D1050AAA2C1D,SHA256=F4BB20EE3DD8DA551E66671A2D4CFAD8163CFF17A95CEEC34B2A90FFC0AEF602,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135700Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:21.976{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=545717BEFBBA00AB3775E19B671DD04D,SHA256=6493FA11570FD2A68C34301255D0DFFA2ECB56BA87BF2F5D343BB2F6C66D1216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:21.563{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02C7E4318BB991E6FBF894C4C15520D9,SHA256=8E0773D09855D6E3C00E6C3DAA66D87B5D0C9B4DFEC7592EEEC1CB07A2C35AF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135701Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:22.991{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA9345D253AF86D7C9A13015F5E67A41,SHA256=D871852FB5BD4B94D72401BEB4996547E4D1AB1E4E4B1F482DC1ED8240100D02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:22.687{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E08352481B428135EF48BCFE383EE81D,SHA256=E8AF4AC3FC50CAFB1C7F80741F2701ED6DF36D3D3C8A332D8559B32D98811950,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:23.687{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDEF974EFC8B43A51B7352C45BEADB2F,SHA256=756166FDF4503B3BEE010F1CA231CF6A32EC1C878233FC0D43CD0E039E9CA2DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:23.672{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52720-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000190785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:24.750{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00AF0E405315EA7807169A066DE6F5E2,SHA256=0EC1AC61BE2A603FAB48D3DD84FD1ED8D883EB3F9A3C7E1289CE2442CCD163F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135703Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:22.741{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal51003-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135702Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:24.038{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E868A0CFB137633F4EC65701F1E1C94C,SHA256=3AAFB5F60C6E1A432BD885D76A5A7E52E7D6738F7B5C207231F906A91AB6292D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:25.958{414E8EDF-B0BE-6218-2400-000000003702}2716NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0cad71091a725587e\channels\health\respondent-20220225103441-108MD5=E961008872A85D9E7B2EDCDB9076BE5A,SHA256=4C7B4263F3F8553ACCFCCC53A0FA56737D447810FFCB4A43A3BA8D688A9FDFED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:25.767{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=720A8113FFF7657D0935B4C11E719BFC,SHA256=64557E35F4699F7AB0AC7C99247CE230483DF2E7460D05B1524C066762C72B21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135704Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:25.069{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89AD161CA23DD3029C15856299C467C1,SHA256=D389BD1FB3BE43B57399C8F241A640FE11C0011CB398CF3BE046171AC50FFBD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:25.532{414E8EDF-B0B1-6218-1100-000000003702}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=5871973B89362AF2D36F5953D632D8DE,SHA256=57BDBE55ACBB41E3798F5328232C231B905DAC9A9A74759B006579729C415C02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:26.957{414E8EDF-B0BE-6218-2400-000000003702}2716NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0cad71091a725587e\channels\health\surveyor-20220225103439-109MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:26.815{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DF8614AC0D8D2359DBD891AA7F7B011,SHA256=7C49ADB50AD0C67C61837CFDF0D7F22255F97B97BE880FFBD7D3AB4705C35947,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135706Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:26.820{6AAC6DF5-B0B1-6218-1300-000000003802}108NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=DB980608119E13EC2A40CFDB913F9D77,SHA256=AD119C0C2FD4289DB1C7248E632F449F7C836E054A7BEC89A4468C674935A3A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135705Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:26.116{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBB847A107F193A4C1614F5B33426CAB,SHA256=337D0DC7A7C9DDDE751FFDF5FDEA2C026F410385281E7BF453619CB6B623F03F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:27.817{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E45A92BD458681A057E5900625DEFD7,SHA256=7F2FB6C163E4A63A9FD9C861AB13FB0A39D7963A6947A79E6F5689EA8F69D6C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135707Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:27.132{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C1B1A39EE4CA997997D845311C3BE39,SHA256=E09D2534D160C8EDC86DB16BF76F5A53AE47DD21F2997E85F15A301E54479062,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:28.832{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EB1CE4F1D1E137795202D3FBBB7477E,SHA256=B5B8B2FDDA9E3BFA8088F1C64FDFC3C40D65803EBD9BBC5A73CFE26FA2FA2E80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135708Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:28.148{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0894F687DDFF4518737D4348BC92AEB4,SHA256=B86A4F663C376473A2DE8E6438A40CEF4EA04359ABF947CC50DB7204B2CF99B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:29.864{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0E8DA4A94DE9ECA1B91DE8FFECD685C,SHA256=5F21AEFB8122A2210539D4945E6F76F001D23979EA181F0FEE300B477BBD610F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135712Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:29.960{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B1-6218-1500-000000003802}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135711Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:29.960{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B1-6218-1500-000000003802}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135710Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:29.960{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B1-6218-1500-000000003802}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000135709Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:29.179{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4B68837E5A418E0962A171DDB46C56B,SHA256=CFECC6E0724C26B192373CDB7C0921D7D0F5F3CD31BF42BD8DEBAEDDD7C527D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:30.942{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0CDAA1DECE99C5203FE0739304C641F,SHA256=CCABB561F1B5DA9730C200E39393A233946D7122A1A5BFCF6CAEBC9E52BA76A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135715Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:28.678{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal51004-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135714Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:30.241{6AAC6DF5-B0B2-6218-2200-000000003802}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4A396A40DE4AD844AFDFD6BFEE34209D,SHA256=ABC582D2644B8C5C1CF17206963A01B55D9A40BBB1979B03D8F2D216AA803ABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135713Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:30.194{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22D7547AB69A9EF56F7D67773871980B,SHA256=DB69D3DA0C061909EBB55C4FBDCE15031FD1DA38C608401BBA006CD0C36E2324,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:31.942{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BB139D28BAD626F93BC10CF899181F8,SHA256=F1D2A771A407C8682516D07338540D2A931132F51D99B697CDDB4BC43B489A47,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135717Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:29.724{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal51005-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000135716Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:31.210{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9849A9687B87D4676270D0E1BB54D833,SHA256=E0799041E4DB1E663EFC01319FE67053C020CD33EEE1B0CD4799368DDE193D49,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:29.567{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52721-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000190798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:32.973{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DFC2489CD2BEC7149406E5AD65E2D5E,SHA256=F93F244AE60D5066F33DAD0F13F5647193C49240210CB2F7EADB4484E12BED43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135718Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:32.241{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC958E81E443E7CCB004EEC00EC70F90,SHA256=7F1AEDC4DC2CFCD307309BD9EE449A646BBE168BC4BA0BC6F9D9F8ACC1117F33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:33.989{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1F0510E8D0280974E6B5C495F87D2E1,SHA256=71F201AF0CE9FF711BB723F6C91C0BDAF0436D7813C8DBAC8E2802F5EBC65CE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135719Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:33.351{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B75F6CCA52C6D5DA3CFF7DB338A7259,SHA256=0FDCF21C041AD423F0586E178F5A41428B80B51BB31BDA80B53712333E574F4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135720Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:34.366{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B8FE7E4606B2A34D7EB867A4AE94681,SHA256=77AB2831D5EE5356EBE4BA6140493990CEC2D075EE0384CC7C9714997F29E5DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135721Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:35.382{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14EBC34A3F65D2A5C109CD68F882DAA0,SHA256=2628FAFAC696F0904BC079CDF1E17F7724B48A07E12D9D370274F6925E7095E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:35.004{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF51470D3571E42665BF66C55DB92F6D,SHA256=01C86A1C396E1868DA46905A9D432BD04A1F70A144256BE7B8F78A7D91193637,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135722Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:36.382{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C5FA90BA817FD320607786D6B3EC47A,SHA256=AF1006D925B7F2C49829705FDA5AA06A530A76AA67590873F0BC9F8449846C92,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:34.582{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52722-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000190801Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:36.020{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01E7E77B995E3766C7297E9E4AE01C89,SHA256=76EB8C552BCD254D4FBC36D95564CEA6D6214A10D3A50ABBD3D380E16F22896A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135724Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:37.398{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=317679128843F1E6A87D513714FE1F0D,SHA256=8FADF1BFAE196D53BB987906553BBB3A23A1FDE4D1D23C8C2AFECEB477E05F9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:37.020{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=960DE0FA5BCC6FF729691073D3B69A37,SHA256=80BDB4974F8C4EED4BD3D1DC4E605510935ED055C48A256B96095A13C2A3EC3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135723Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:34.724{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal51006-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135725Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:38.413{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84473C40A496B0D8BB50FCEB05C5F7F1,SHA256=C58847CABC902172E0BED28A4AAC4085FBA1A4FA6BA9750843373E7503015D73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:38.660{414E8EDF-B0BE-6218-2900-000000003702}2792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4A396A40DE4AD844AFDFD6BFEE34209D,SHA256=ABC582D2644B8C5C1CF17206963A01B55D9A40BBB1979B03D8F2D216AA803ABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:38.035{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53FB2D31C0E045502F3F6AC8775D8ADB,SHA256=CB41B5DD71F09A6BEAFD01F150748F954F5AE2AC9965E9ACCE77024655AAEECE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135726Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:39.429{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0B270C5DA0442617EE5843B57DDE0FB,SHA256=29857404AFBC9995044F9004AE87F3B02972874CD2890948C25C0970EBBF81ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:39.036{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87C3B03C06FC6575237877058DEF3119,SHA256=CA10103509F4D2994C895D90F6B6A936E57518220D5B504E830C97FEB981E05D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135741Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:40.851{6AAC6DF5-CB00-6218-A503-000000003802}25763036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135740Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:40.569{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CB00-6218-A503-000000003802}2576C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135739Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:40.569{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135738Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:40.569{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135737Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:40.569{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135736Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:40.569{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135735Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:40.569{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135734Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:40.569{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135733Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:40.569{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135732Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:40.569{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135731Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:40.569{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135730Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:40.569{6AAC6DF5-B0AF-6218-0500-000000003802}424440C:\Windows\system32\csrss.exe{6AAC6DF5-CB00-6218-A503-000000003802}2576C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000135729Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:40.569{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CB00-6218-A503-000000003802}2576C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000135728Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:40.571{6AAC6DF5-CB00-6218-A503-000000003802}2576C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000135727Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:40.444{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD966F7DDE6DF020AC00E3F5732BCCC0,SHA256=31EB28A61956091564E5E600B3F7411D17D85BB267153826B116B7BAEF700E0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:40.051{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48EF41089A479668292209CB7BDB49DE,SHA256=7BE81F856D4B0808C288A0BF8C51244DDA97A1F6B0DD9B11E2F790502845A888,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135770Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:41.913{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CB01-6218-A703-000000003802}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135769Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:41.913{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135768Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:41.913{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135767Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:41.913{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135766Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:41.913{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135765Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:41.913{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135764Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:41.913{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135763Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:41.913{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135762Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:41.913{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135761Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:41.913{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135760Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:41.913{6AAC6DF5-B0AF-6218-0500-000000003802}4241012C:\Windows\system32\csrss.exe{6AAC6DF5-CB01-6218-A703-000000003802}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000135759Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:41.913{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CB01-6218-A703-000000003802}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000135758Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:41.914{6AAC6DF5-CB01-6218-A703-000000003802}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000135757Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:41.694{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57F39FC958C3C4C4E1F47B478E7BCD49,SHA256=46A9001207CDB9C7E0A042B61D7B3B0823A77D017DCF439512FB15D1697D6CDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135756Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:41.694{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6883825AD1EA1C5B35B566AE9934B273,SHA256=EA40C8DD40094ABE76A51ACE8FE9F2BB964E248DABF1FD48BCE7E3F76792014B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135755Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:41.694{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2153158F73A03D81F99C25985499DF9C,SHA256=1AB280D74FE6330EFF17A6E15D84A917CEE4BBE5898E330CC81F60E174542F1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:39.629{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52724-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000190809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:39.129{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52723-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000190808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:41.067{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FDD18086EB2C41D12FD197F1A93890A,SHA256=E538E9764F8156C924F6F02916F8BBB1ADCA24D0A4F86184ADC47EB0E5F1E434,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135754Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:41.241{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CB01-6218-A603-000000003802}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135753Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:41.241{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135752Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:41.241{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135751Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:41.241{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135750Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:41.241{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135749Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:41.241{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135748Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:41.241{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135747Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:41.241{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135746Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:41.241{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135745Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:41.241{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135744Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:41.241{6AAC6DF5-B0AF-6218-0500-000000003802}424540C:\Windows\system32\csrss.exe{6AAC6DF5-CB01-6218-A603-000000003802}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000135743Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:41.241{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CB01-6218-A603-000000003802}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000135742Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:41.242{6AAC6DF5-CB01-6218-A603-000000003802}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000135772Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:42.944{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57F39FC958C3C4C4E1F47B478E7BCD49,SHA256=46A9001207CDB9C7E0A042B61D7B3B0823A77D017DCF439512FB15D1697D6CDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135771Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:42.741{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B56B32FD74D9B5C44878349E9D684118,SHA256=17DC5981636BCB5E95191E2B5B56AC024F1FD702F951340982C13373FBC20C28,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190814Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:42.254{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0B1-6218-1500-000000003702}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190813Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:42.254{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0B1-6218-1500-000000003702}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:42.254{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0B1-6218-1500-000000003702}1240C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000190811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:42.082{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A66BD0F2CC40D3D615F16EBABB5E931E,SHA256=6B9B6827EB4358368366B2C7E30116256F6A437F3975731755BD8DF802300F01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135774Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:43.788{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52E8838EC4666C77C83E9CDA87A9564F,SHA256=52C971AA3A2925C18FB029D0D178BA9D477DF10AE5C6CE269524CC626D604250,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190815Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:43.082{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC84D9E38A26CDCFFC9890FA2F748ED6,SHA256=05C1AE61C27746124F830FABD76CEA6B61215459860C6EFFB421C3DE9DD7A86D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135773Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:40.646{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal51007-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000135789Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:44.882{6AAC6DF5-CB04-6218-A803-000000003802}25442616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000135788Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:44.804{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD51260689B6056B120F49AA6670413F,SHA256=E72D8556954B3E14B514BCABBF371B0CCD15473FB405756EB9FED1ACD57C30B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190816Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:44.098{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E463E22A8B4B53D9D52B52FA1FC863D,SHA256=FC1FF22F32D9FFDD18694973E2EA90B3608754AC6A216FD9D6C17AC979425031,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135787Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:44.632{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CB04-6218-A803-000000003802}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135786Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:44.632{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135785Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:44.632{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135784Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:44.632{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135783Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:44.632{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135782Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:44.632{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135781Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:44.632{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135780Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:44.632{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135779Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:44.632{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135778Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:44.632{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135777Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:44.632{6AAC6DF5-B0AF-6218-0500-000000003802}424440C:\Windows\system32\csrss.exe{6AAC6DF5-CB04-6218-A803-000000003802}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000135776Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:44.632{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CB04-6218-A803-000000003802}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000135775Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:44.633{6AAC6DF5-CB04-6218-A803-000000003802}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000135805Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:45.851{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63D43A05B038B5F5CFE88694FE115207,SHA256=ACBCC3E5F3C804B77BA3764D7922B6032A6A7E65E0EBAA23A43F5167320D8697,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190818Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:44.660{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52725-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000190817Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:45.098{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3D60DB813119BC81FE08C68FF639104,SHA256=3FB2963864DDA453D345A446CA5BE960F0B8CE7B399C81A477D4D0CD07848F57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135804Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:45.648{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27E24F4EAE3593D0C30AF8FEA051C1CF,SHA256=0F3DDDF8346E75B986CFF0648A86F1A474B60F85126FC542EE25F41220B0C9F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135803Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:45.515{6AAC6DF5-CB05-6218-A903-000000003802}30402724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135802Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:45.273{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CB05-6218-A903-000000003802}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135801Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:45.273{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135800Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:45.273{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135799Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:45.273{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135798Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:45.273{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135797Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:45.273{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135796Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:45.273{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135795Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:45.273{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135794Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:45.273{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135793Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:45.273{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135792Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:45.273{6AAC6DF5-B0AF-6218-0500-000000003802}424540C:\Windows\system32\csrss.exe{6AAC6DF5-CB05-6218-A903-000000003802}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000135791Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:45.273{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CB05-6218-A903-000000003802}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000135790Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:45.274{6AAC6DF5-CB05-6218-A903-000000003802}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000135819Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:46.960{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CB06-6218-AA03-000000003802}1136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135818Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:46.960{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135817Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:46.960{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135816Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:46.960{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135815Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:46.960{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135814Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:46.960{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135813Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:46.960{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135812Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:46.960{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135811Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:46.960{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135810Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:46.960{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135809Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:46.960{6AAC6DF5-B0AF-6218-0500-000000003802}424540C:\Windows\system32\csrss.exe{6AAC6DF5-CB06-6218-AA03-000000003802}1136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000135808Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:46.960{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CB06-6218-AA03-000000003802}1136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000135807Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:46.961{6AAC6DF5-CB06-6218-AA03-000000003802}1136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000135806Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:46.866{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22AAB1FBB39DCBF80FD16C65074A7353,SHA256=32D60232E997168BC507722D5CBA96839337555941320315DBA649300B97759F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190819Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:46.098{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FA0899D64C2FBA83C19046B5C07C21C,SHA256=297BAB77B00F2A4C77341DD95497946439EB77691BEF658CA616292C5D10F929,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135821Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:47.898{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C794AC30D3A0BE3DCC43036A0070E06F,SHA256=59681C758CA176E1D5A484304A72B98E3565C1E8EDB2466CF12527FF976E330A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190820Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:47.114{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3F018CDC46CD14FEDCA94268915EA05,SHA256=8B96515C31F62B3F05421278C432977C78118B042532DF655FF6AEA96E7E7DFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135820Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:47.132{6AAC6DF5-CB06-6218-AA03-000000003802}11363292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000135837Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:48.944{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAA387781DDED975CC41E3C7EBF0EA97,SHA256=9B73315FB8248BFFD2083E0A3ABA4E466B3237441D546C51AD1D8F44BAB00928,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190821Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:48.129{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ADC27BD2AB3249F7B76298AEC2B43DB,SHA256=158B9E295E49F2DB8948E1D91A1D3B3E9DEE1505482E8CBB552706CCFB464800,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135836Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:46.615{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal51008-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000135835Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:48.116{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CB08-6218-AB03-000000003802}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135834Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:48.116{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135833Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:48.116{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135832Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:48.116{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135831Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:48.116{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135830Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:48.116{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135829Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:48.116{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135828Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:48.116{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135827Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:48.116{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135826Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:48.116{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135825Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:48.116{6AAC6DF5-B0AF-6218-0500-000000003802}4241012C:\Windows\system32\csrss.exe{6AAC6DF5-CB08-6218-AB03-000000003802}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000135824Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:48.116{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CB08-6218-AB03-000000003802}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000135823Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:48.117{6AAC6DF5-CB08-6218-AB03-000000003802}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000135822Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:48.054{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9ED809235D73A7F3D4EFAFECC6B9AD2,SHA256=0E5268EAB6A96EC49FB0B73CA022060BF7750603A1EFD4A6D832E072FF68AF07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190822Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:49.145{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6606E11169638CB5BE4E873477BBB9D9,SHA256=64469A43FFD743FF4A83C26A1EC6296F10B9ACEAFA38DF35BB1EB2D881F3786A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135838Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:49.148{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E740D649E6DD909F2CBD6FD4A4F29EA2,SHA256=9826F4FAE79582DCAAF31D7A2CB3FD2DB89A644F50A358D165FB6DD043BD81F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190839Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:50.879{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CB0A-6218-FA03-000000003702}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190838Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:50.879{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190837Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:50.879{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190836Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:50.879{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190835Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:50.879{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190834Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:50.879{414E8EDF-B0AE-6218-0500-000000003702}416432C:\Windows\system32\csrss.exe{414E8EDF-CB0A-6218-FA03-000000003702}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190833Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:50.879{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CB0A-6218-FA03-000000003702}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190832Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:50.880{414E8EDF-CB0A-6218-FA03-000000003702}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000190831Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:50.379{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CB0A-6218-F903-000000003702}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190830Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:50.379{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190829Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:50.379{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190828Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:50.379{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190827Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:50.379{414E8EDF-B0AE-6218-0500-000000003702}4165324C:\Windows\system32\csrss.exe{414E8EDF-CB0A-6218-F903-000000003702}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190826Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:50.379{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190825Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:50.379{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CB0A-6218-F903-000000003702}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190824Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:50.380{414E8EDF-CB0A-6218-F903-000000003702}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000190823Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:50.161{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECD7C84C96884A04C32778B59AC6A55E,SHA256=FAD1C83EEB9EDC7709D756B3C90A9882F3748F70300702CC857356BCDD2BFF3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135839Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:50.038{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A9F4466E0EEDB9E6AAB620D8F2838A3,SHA256=4464AD7F791E141534F3794157468EB4098BBDA294D2C6D8A6F28AF0AA2C9B68,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190852Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:51.739{414E8EDF-CB0B-6218-FB03-000000003702}58844340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000190851Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:50.567{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52726-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000190850Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:51.504{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CB0B-6218-FB03-000000003702}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190849Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:51.504{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190848Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:51.504{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190847Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:51.504{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190846Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:51.504{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190845Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:51.504{414E8EDF-B0AE-6218-0500-000000003702}4165324C:\Windows\system32\csrss.exe{414E8EDF-CB0B-6218-FB03-000000003702}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190844Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:51.504{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CB0B-6218-FB03-000000003702}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190843Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:51.505{414E8EDF-CB0B-6218-FB03-000000003702}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000190842Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:51.426{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87693F9CC20812F66669DC5604B6A8EE,SHA256=7BBD11B380736CCB93E5DD62D9140E75A6AF21F952D4F6D754CDB00D31052A84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190841Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:51.426{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=368FFB34DC2D7F04717E5414C087BAD4,SHA256=8950E47F5B0033CF38141BACEF85F85B6D6FB12267BAE104B48652759475F5AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190840Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:51.176{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CBE3C2F0F72AFD6FD951334DB6B3FA1,SHA256=51B8C9E9ACC21B222C88C1429273CF5104897083F880E8F4721B064A154D17D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135840Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:51.054{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD08DE68C201B3F2CBEB596502251849,SHA256=1C7AFA46A1C41020FC2EFC91B87E377029BA67AD99AE4933E77BA96257198648,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135841Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:52.085{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C42428C604CE96ED1693A145F18A9BB,SHA256=EEED1BC74C748BBB3420EEDD24A7147DF43603BF8E3EB9E760FD8CC2A2BFF47C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190871Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:52.958{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CB0C-6218-FD03-000000003702}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190870Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:52.958{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190869Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:52.958{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190868Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:52.958{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190867Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:52.958{414E8EDF-B0AE-6218-0500-000000003702}416432C:\Windows\system32\csrss.exe{414E8EDF-CB0C-6218-FD03-000000003702}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190866Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:52.958{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190865Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:52.958{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CB0C-6218-FD03-000000003702}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190864Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:52.958{414E8EDF-CB0C-6218-FD03-000000003702}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000190863Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:52.582{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87693F9CC20812F66669DC5604B6A8EE,SHA256=7BBD11B380736CCB93E5DD62D9140E75A6AF21F952D4F6D754CDB00D31052A84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190862Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:52.192{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45418A032BFD74AE08A6E36FD0071813,SHA256=D3ADFB0876470E457DCDCF5D6A35225F1A4ED9E6EFFFC4833EE8EF81DE88ED4E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190861Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:52.176{414E8EDF-CB0C-6218-FC03-000000003702}44845988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190860Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:52.004{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CB0C-6218-FC03-000000003702}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190859Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:52.004{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190858Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:52.004{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190857Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:52.004{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190856Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:52.004{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190855Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:52.004{414E8EDF-B0AE-6218-0500-000000003702}416372C:\Windows\system32\csrss.exe{414E8EDF-CB0C-6218-FC03-000000003702}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190854Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:52.004{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CB0C-6218-FC03-000000003702}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190853Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:52.005{414E8EDF-CB0C-6218-FC03-000000003702}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000135842Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:53.116{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0E752D447030CEA11FBFEF3F8D5D486,SHA256=718636C874CA44B6560412748E16EEFC7F6D2D061B6A6B94873D6FD7DF53A478,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190885Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:53.973{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=900FB4B5B1D758568C30833B647E8851,SHA256=BFA19046FBA3F4135B0014DE20E8E3B6656D801211D3D3F8A85B7A2E2665C495,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190884Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:53.801{414E8EDF-CB0D-6218-FE03-000000003702}50882612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000190883Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:52.911{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local52727-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local389ldap 354300x8000000000000000190882Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:52.911{414E8EDF-B0BE-6218-2B00-000000003702}2820C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local52727-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local389ldap 10341000x8000000000000000190881Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:53.629{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CB0D-6218-FE03-000000003702}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190880Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:53.629{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190879Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:53.629{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190878Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:53.629{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190877Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:53.629{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190876Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:53.629{414E8EDF-B0AE-6218-0500-000000003702}416532C:\Windows\system32\csrss.exe{414E8EDF-CB0D-6218-FE03-000000003702}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190875Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:53.629{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CB0D-6218-FE03-000000003702}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190874Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:53.631{414E8EDF-CB0D-6218-FE03-000000003702}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000190873Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:53.208{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=503385903CCADFAFF228391D757F9DD4,SHA256=379667C24AC72B0F215FE9454B217235902E442842825FD5E7E6981FDD3BBFEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190872Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:53.129{414E8EDF-CB0C-6218-FD03-000000003702}29441912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000135844Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:52.568{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal51009-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135843Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:54.163{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C1F70B3D0EBCF3E87781244EA6031C7,SHA256=A2AE21E7BCC6BAEE524535C9B053711730CA24CDF41360EE929052FED9F086F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190886Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:54.223{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79891D133F9F96A07E1FC881DC2ACA54,SHA256=2095E206575A685AEAA5B14A586A03FA7C379D0AFFF8004DE28BF41687EBF5D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190887Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:55.223{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F682666938C2B0C193C91FC3CD655151,SHA256=CDE94A610A835886B6809AE01D03017DE06027C2D120EAC4751A56378519ED6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135845Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:55.163{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEEB7A2734CBE3B7465DA2BA1B3637A8,SHA256=850A0ACA93B817DCC33AB9ECDBDF9C90A77EBC1C0FBFCA9713F5C008554A7745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135846Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:56.210{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F8794B222E1598682A1FF78A4C6CA91,SHA256=9A868CA63AB79738F7DD57EC00189C085512588D58EE53CBE627A07A01168791,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190897Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:55.707{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52728-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000190896Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:56.692{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CB10-6218-FF03-000000003702}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190895Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:56.692{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190894Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:56.692{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190893Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:56.692{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190892Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:56.692{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190891Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:56.692{414E8EDF-B0AE-6218-0500-000000003702}416432C:\Windows\system32\csrss.exe{414E8EDF-CB10-6218-FF03-000000003702}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190890Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:56.692{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CB10-6218-FF03-000000003702}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190889Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:56.693{414E8EDF-CB10-6218-FF03-000000003702}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000190888Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:56.239{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B65A8C4C7DFFE4B96CB177EC3867302,SHA256=8B7F128CD2E160A96931E38E7A8AF4C30237288C4DABC153DB987760F6AF1271,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135847Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:57.226{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3381D3A309852C700850CD3690E2BADA,SHA256=DCE6DF9C1B66E70EB03F26B13ED69CB84C975C88D08FB1EC6B18050C7FC007E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190899Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:57.692{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0640ED0B8A8C246BD92B3EBEC5ADA47B,SHA256=9967AC097EDAB1CE4C629CF387C022E2BCC61454A02DB3366D0DEB28A5097614,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190898Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:57.254{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=594DE11F6CD3D45EDFFA12F548065537,SHA256=7C6E8D3EC7732EC9F717E1823B6F6490D2A0CAF473B901B59B297002D62D44EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135848Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:58.257{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=392C31B1345154349AFA740610F11EE1,SHA256=68255A6DF0DB5AAD6F6DD7236C5D86B13A70F22A28049444594E26D7F2B0D3CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190900Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:58.270{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20AD28CB677421713345069E6E053CD2,SHA256=C3BE5CF66FE2C3E39E0C88D25504DA7169F6A0CDB3AAEF3D2F30B09EFDACEDC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190901Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:26:59.286{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5066A5541D80931271320A663560EEB,SHA256=A93FE06504D5F1385890975A4E5E95909912672F357FDB53E228423F26534EA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135849Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:59.319{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13E5D3CE53D98FDC553729667BE7043C,SHA256=CA5C3CEB5C2EE418F270BB50AFBFA63837038BF28CD14A4375DA785F37F810C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190902Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:00.301{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68414CCE676CD00617A28D1B72880169,SHA256=13DAB1D54349A92710117EF80D3F9DCCD80A8F977746E4BD8B4AD68E9812AE79,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135851Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:26:58.552{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal51010-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135850Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:00.319{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B11A391148CD7F31755A7C04FEDC99DC,SHA256=30E16AD83AAF58C88E56D19F259F18AC0556D00C4AF39B4732B935FB6239F919,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135852Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:01.336{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=971FB1B22A588C5BCE480764FF4FBB0D,SHA256=E3CE14D6E3E8268386A615AE851A442C36A1DCE373E39CDEB5D2A83B0C736A60,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190904Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:00.707{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52729-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000190903Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:01.317{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EA10B7E947A8021BB784617432487BD,SHA256=D6FDCB311D0742F60E0C4822D4DA4B9013995ADDC106D5CF287627146DF4CA34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135853Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:02.382{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA23AA7B1D920039891F3AFCCA5059EF,SHA256=3B1E48AB9A8B6C5A0BD458D62E5FF4929E54D9EC284F90D49D132731DEE1899B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190905Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:02.333{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08F792ABD9D1877CE0CCAFA7FE966B3C,SHA256=EB6FACDB90ECFBF0730AF369C03CBD8032A817AD9B8F327AA02DAA8D2D93CC8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135854Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:03.413{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F854A5359340D62946AF010FAC841F26,SHA256=FC3BACDF3413B7A81FBD8CCB1F7F6F712988F925FBEE7105784AAC3F566C32BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190906Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:03.348{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEA11231CB492D2A5863F7258D3814E1,SHA256=2501088CB9B0576D8C358DA3D7ED84AA85C6E8EE430BE689BB23380E998BDD32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190907Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:04.364{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07A9350534414C5584117EB376683037,SHA256=436998764865781C47B2AE59D9ED4FD6232B5E0363E874D090BB3C482A5FE211,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135855Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:04.460{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=191084643FDB22E79224E9CEEDD423FC,SHA256=4DCB96374A357F4C9E97A3975B158DE3DDAAD567042A93F4537C60BBF4E75BBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135856Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:05.507{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A70995B30A496372A7E31FCDFEDDE90,SHA256=F6CADD3C1BC3A75F99E3665823AFC46CC953632C46A4317EEF6DE673059CF59F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190908Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:05.364{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB50B09835B545C55DEC5988236C64E6,SHA256=33D55EE751B6D003D4FFB16D88C3EE73B314A02195057D373874B3EB40F6E336,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135858Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:06.523{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18EF52A9D8E85D1719A2189B8822B0A3,SHA256=ED4FBAED26DB9DE19F3FBDF6DF050D1C02920E01715E26C00938DF82A53A11D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190909Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:06.379{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=414A8538615982CE8E7B05BB69C9853E,SHA256=83FB6CC88D1C0C34D8CDD2F959D15F37C492E7932BB678550ECDE540BDFC9B45,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135857Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:03.724{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal51011-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135859Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:07.523{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61AFDA0CBB30001292C67955D103A1D8,SHA256=C37859B8781C371D15EACE92683B3E0D27982931CAA689E47D6E2154AC367C33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190911Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:07.395{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DA4A65FBA1845C450B5DB42EBCF782F,SHA256=666E4B68B774796B3EC078770DF5AE142969DBD88FC2E0B74B26D0BE9AF03C39,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190910Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:05.723{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52730-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000190912Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:08.395{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=308082F3626C02AF60DEFD2FDA3F2958,SHA256=062873F31DCD9498574B8A08D78261381D1406C0EC81C8F310D1BFCC40B5C244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135860Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:08.523{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F879EEB7AFE5AEA8D5C6DEC9E9E5C1DE,SHA256=963A14A29EBE9A386E8EACB2D57AD1D777A903F6E2D31F0B35F3C3D901DFAC5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135861Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:09.538{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3350F47591F0C404371DCAB17F5D9CAC,SHA256=09E9BE1F9C3D656176E87514CF55594502F337D13B1BE382F8D52FE3733EC9BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190913Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:09.411{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FDE4B59900914CA672A8E412C4C3BF3,SHA256=47547D49592328B68A5798825E1176BA50B76FD6A598FE07FF549EC965D1FA62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135862Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:10.554{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=831804C5E0B8A2AC8737EBB277F61783,SHA256=9C59B038CD369F5305DC3AF37D0D989643508AA0C5A3EA2FB3212671C256C150,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190914Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:10.426{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F97D21056E0AEA6133291DB474557F7,SHA256=DD8354BD6AC78456C7D43C2B84A0CC2498DEDDC9CF4BA153B119551CFC3BECD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135863Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:11.569{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DD08B2A30C4E83CB097635486ABE5EB,SHA256=BFA2791D65632A094367678CF98E56C5BB3009612B5764123F0789B17EE8B27B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190915Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:11.442{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=667D18C798D8085A0C488113D50A1DE8,SHA256=0FA168D26E5F2FB075DA2AACF07D44D5322ADC43925A37736129C6BCE4188947,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135865Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:12.632{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B05456CD0333D809689DFFA2D035C204,SHA256=DA83E5F4D81513E8B0EE6F03A8E5AED4DE47CBB82CB3381ACCC2D9C25942AEC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190916Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:12.442{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1863391A38FD2AE9F54D90E067D7BBD,SHA256=D4C611516A8BEC7F16F9EC9B20F9958C94051A3FF044C5A5C5F07480979B35BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135864Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:09.755{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal51012-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000190920Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:13.551{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F35BF169FDA612E5F4261CC07B13D0DF,SHA256=28E7D1DDCE901725559C938545455735855FD5280CFBDF9C837F28F8CA269297,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135866Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:13.632{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEDD1047C2BB8F8AB1DA7891495D0C65,SHA256=B88BDD9AC39D85BBA316BDD17F1DE030F285572A511A5264606F87ED1B6C7BAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190919Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:11.692{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52731-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000190918Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:11.383{414E8EDF-B0AB-6218-0100-000000003702}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local138netbios-dgm 354300x8000000000000000190917Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:11.383{414E8EDF-B0AB-6218-0100-000000003702}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x8000000000000000135867Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:14.726{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EFF982832BD8210BDBFC60F9AF60D73,SHA256=758853AC1A66C4FD851523A5BE85623113066370234803DA190152C8D4E8B0A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190921Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:14.567{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52FA1EAFDFE75B9BF321BD7CE75E999F,SHA256=60B5FA0A555158FD35ECDAC2C9535C355A93CC7312A02C7757086C7B1CE6D959,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135868Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:15.726{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FF1E8FE0F6C3B4CBDA8DCDDFCFD34EE,SHA256=15157261474FEE59D42C0F13332D62CEA60988A8F0AEA95DFA30D7D3FE61EF44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190922Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:15.598{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4730F878D02B8C0928210BEC6C6A8A1F,SHA256=96B3639BEF8A900294B16E5F10EEC91126A42CCEC91D2799C374C4A068728F34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135870Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:16.728{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FFF339B904691B816AA14CB5C4B382D,SHA256=FED04D01A12584FE2473D2ECDF8E679149E32B56BA4E5D0A7ECF6B87AEB0776D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190923Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:16.614{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78AE19ADF89C6CF3C6617760ED2344C3,SHA256=306200A35332863B3084AE3C23B4817D7A2BF1D30362355D44C4496B631FACA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135869Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:16.714{6AAC6DF5-B0B2-6218-1D00-000000003802}1952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d7ccee276d30a4b6\channels\health\respondent-20220225103429-109MD5=FBD42F5F8AA0DC0DD6067820063FF10B,SHA256=AAA41009555F09EFB0ED817562D7125DD50A33AE671816E82835424EE5CAE232,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190924Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:17.630{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A04C8D5CAF2654FE07B6BF3F7AA84CC,SHA256=D504BCB9C8F3914041585D728DA268FA34F4E4216604CD664006993C208505CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135873Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:17.732{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B51D3B91D0701C91F1B62709E61C4CF,SHA256=8A0D45026BDB1171432DA6AE0AC85A7F7660D4BC932797E96234BECF0AF83E87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135872Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:17.729{6AAC6DF5-B0B2-6218-1D00-000000003802}1952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d7ccee276d30a4b6\channels\health\surveyor-20220225103427-110MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135871Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:15.693{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal51013-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000190925Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:18.677{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D004EF66281FAB88928E6E340636A768,SHA256=489E9763F1CEE6EF4C06F7D5C843D9B74E5298C4117C6C337E4B13284C5F6CB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135874Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:18.744{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D7FA6FCA206488FEF9FEE28CB20605D,SHA256=C18352BB6EDFA05AC9FFAB7AC99792DB5F71B8CCE995B4EE0A41CABC7A6868D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135875Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:19.775{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4220AD0E43E197D444348C45B26EF3D,SHA256=78A0FE2205C9791F79E671D97FB675C71A47CF826EF9C89F20EF33104F306863,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190927Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:19.692{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7284616C63BCE97DEC23D30849BEDCAD,SHA256=3E70FF06A54D14AE952BB28C10AEAACFC6E42FAA85B5BE3F44A9E0BFE632D2A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190926Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:17.582{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52732-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135876Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:20.791{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55E7ADF07B0D01BDA6133E8647ADA32B,SHA256=2D07A08639AD8912B3A649FC5E087AAA48F9FDD643451A23167671A92388FAB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190928Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:20.723{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC9B161DFFEFEF21A849792E48D758F3,SHA256=679F554F77619A26900C6519FCA260D219EB699B1E323B2F8953F8A51B364BB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135877Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:21.807{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D67751461ECE0354E99BFBA26D3D7AC,SHA256=5870F88612FFAF6CCCEAAF3CB70A600C88B002DB5A82D9A2F9524A5EECA38E22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190929Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:21.739{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BED39A1911C354F965451A16583E148E,SHA256=C8562A81044F1FB9C83F5D19025CE4A3B986249ACE129304C4BB5D715182A0C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190930Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:22.755{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA9365CEF9BD8F5671BD64082E45ED03,SHA256=239EA1CD8670FDEF766A074F464C7FA578DBC0F4C5D1902936739F4556FC9A1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135878Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:22.853{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD55B97169790392D9E3433C368E0545,SHA256=1EB5373BA00382C270C25C678401CF9EDDA05AC88FD8A375E33461757063C46B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135880Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:23.853{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7177864FF32F80BCCB312BF00BA21C2E,SHA256=ADD84ED09DAAA87A1ED75D500EBD60BBB3ECBC4411C7F4C36E13486A90C8B987,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190931Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:23.770{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0F5C92667C8FED60EBD48C41980FED1,SHA256=06EC0B79239BE5556DD51404874C9E38D80FFA96A89B603D87E5E9AA1666A68D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135879Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:21.617{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal51014-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135881Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:24.869{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E75EA29B1931B5065FA0C145077956A,SHA256=C4D8FACF8AAA764FBFB1A61DFF9E046B7474BF5DB7DAC38AB51C7FF64CFEE168,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190933Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:23.551{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52733-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000190932Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:24.802{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90B9B668629339F118CA8C32927B101D,SHA256=0B93228543A31DDE650D69AFD8F0E1D7DE0EBA2504A8D47B475715F296F509E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135882Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:25.900{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DD680549EA7AFD5696BA93FC5ED0518,SHA256=1E1EFC586568F6987FD6CA7E37C76F1B535C5EA1F8B09426716BA671E9E1FAD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190935Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:25.833{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE8251D429CAE8F106EC874E9190AC14,SHA256=FBC60CB453144CF62C660F9E4DC9AC08E4EEA6592855E2DB2CB81A407AEE6047,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190934Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:25.536{414E8EDF-B0B1-6218-1100-000000003702}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E3587C064AD6008B03428F073DB7F3CB,SHA256=B78086C8939B330F30E55F7323DFEE5D2C29C734D229D113297BB00F6AF5BC6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190936Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:26.833{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEABC41E906AC17CABD90F5036AC6568,SHA256=2AA761A1984002F6BC22F874826C5ABBC617163AAECFA049C81504DF3567747F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135884Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:26.916{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7D902D19483EE5378374D5F56B1E619,SHA256=1A1257E64E0357AF84579ED77B8930C271B5718A540A21E3AEA97C60884A6723,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135883Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:26.822{6AAC6DF5-B0B1-6218-1300-000000003802}108NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CF019CA95BAC5CE66AA07E53FEF15A36,SHA256=E0B84D91C1FFA9AFB3A541EF93AAADA37EF0DA7A311CCBE1AACED30A7F806E4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135885Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:27.963{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE710C9D7B088545D9A5C81F7B61335C,SHA256=CABB50B6783676CB4719993AA4DDBA10BEC1958C12160691D4F9F1A28C0A79FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190937Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:27.480{414E8EDF-B0BE-6218-2400-000000003702}2716NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0cad71091a725587e\channels\health\respondent-20220225103441-109MD5=E961008872A85D9E7B2EDCDB9076BE5A,SHA256=4C7B4263F3F8553ACCFCCC53A0FA56737D447810FFCB4A43A3BA8D688A9FDFED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135886Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:28.963{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B6A5165A02265C0AEB095D4C7D79C99,SHA256=EA9D8FB6B67CBC465CF4F47C52BA33CAD367DB276A52C00BDB929E30151CDF8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190939Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:28.493{414E8EDF-B0BE-6218-2400-000000003702}2716NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0cad71091a725587e\channels\health\surveyor-20220225103439-110MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190938Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:28.039{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1264B63F531931432935F17B6092D61D,SHA256=7B5781166E7EC3C4B5547637B492501F4CE692D2E9D58CBE674533B85011FE8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135888Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:29.994{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26CB6640165109A16764761B0D76E868,SHA256=87EB9ED39AB4D32B96EC93B7F5401C09EA8FFE0B7919A2848EB0592AA9F66A83,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190941Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:28.679{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52734-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000190940Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:29.055{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF72D161B051E194E580A1CFC0BD51A,SHA256=6856B3BE87D295B0BF24F420FA2825B94B0095B3A79563DB76B300C1ADA149CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135887Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:27.633{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal51015-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135889Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:30.260{6AAC6DF5-B0B2-6218-2200-000000003802}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4A396A40DE4AD844AFDFD6BFEE34209D,SHA256=ABC582D2644B8C5C1CF17206963A01B55D9A40BBB1979B03D8F2D216AA803ABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190942Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:30.087{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=179AAA35B8FF87392ED36EFF104E6397,SHA256=DC68389AEC29957168122CBE4D5E479B74DFEA55F3848F35ACC6F2800E478F27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190943Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:31.102{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6F2E9171D2E3649E73475E525D03F38,SHA256=F200727B6D0151F618563E309D6116145331314E76DBBB243C5E6FE4D41BAAD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135890Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:31.025{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2831D5018A942554DAC6758729E5191,SHA256=83CFF8F11C8DC246F29E333374E015C846FD22B11D2DE31EB5D06692723FECFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190944Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:32.102{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB32B93DA2288E8C2E5AE6A061AC9BE1,SHA256=B97ECBEF51B6C8C3D5E872056CEF28D9938FDFF2CED4286233498873696E9057,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135892Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:32.025{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51EADE2983C923724A139B06076C68FF,SHA256=B9E0777E407C77C6FE9EC57D117573D9E6B91E81F8315E4F8830A50799F5690F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135891Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:29.742{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal51016-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000190945Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:33.134{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10D729FC7E705DB0B384180C9378BE12,SHA256=884039FD8AC4E6877898F7BD7FA0C6AA6EFC401694CADC3697AB552F8EB4E39B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135893Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:33.041{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=571F71329FE521A7B2673FC10ACD4CD5,SHA256=16078854699CA6738C79B5AD398D88858BFACA8C5AED40D21FCBD83890CC2ED4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135894Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:34.057{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE522A44E64C098A2B4D23BCD891742A,SHA256=1C50FBDD8C730DAF3317AD4FAE3C7A5A5C0264081C7566191CC3716FA22EE3FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190946Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:34.134{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=104CDB18B15188A7A210683549389883,SHA256=1044C9907184D3193F15DFEA6CCD5DF7CE64825B37B944D2D57EE69CC1C0C999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190947Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:35.165{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBDC77547E1BCEA11194C2C3CF43EE8A,SHA256=9168D0C314FCA9C733D37C03F0C03AFA991B809605244CB195B2B9762913EA83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135895Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:35.072{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=347F2A2A683D55D7FBF3FF5B038D361B,SHA256=4C981846A05705E4C1E0EC9EE9CEEB3842BC98FBED35387679ACD4E73E29DE8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190949Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:36.180{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C14A83115721D71D5CD31A1E74543EE1,SHA256=B0ED2B70A0A0C87A365CAA0B48EF187B29098E51159EA634D17B7C737436A66F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000135897Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:33.617{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal51017-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135896Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:36.088{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=795AA30834C9E6496B82480E96E0B23B,SHA256=9BF242FFA27C22F81C417D5052507C81EEEC4A081CA550C11F9D7350932695F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190948Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:34.664{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52735-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000190950Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:37.181{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C35D0043D3A75EC8AB64D6B0DED427D4,SHA256=4C3A07D882B24B278B429DDDD81697D45258EA10ACDD149D5CD91122DC668700,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135898Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:37.088{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2920BA9ECC4AA87F5B5163C1D7F7DEB1,SHA256=067BF25831B61AAD390A5053F5FE5BF1CB53E381D9B1CA2965354003E675DC65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135899Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:38.103{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA723B56DA4EC2069AB35266D52613CD,SHA256=EFA1FD664CBC1BAB848AEB8BB8AE0CF9E36B1E60E6E2B931D712C94C9ADE06C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190952Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:38.680{414E8EDF-B0BE-6218-2900-000000003702}2792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4A396A40DE4AD844AFDFD6BFEE34209D,SHA256=ABC582D2644B8C5C1CF17206963A01B55D9A40BBB1979B03D8F2D216AA803ABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190951Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:38.196{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7729A1BD4578BD93363DABB76116EF34,SHA256=BC6AFA047922D8262340AD00D6D737FCF7C97234599D3D8ECDFD47605CD6EDEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190953Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:39.196{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=327EEC119E063496B818540B515D60FA,SHA256=CBC1BB38C3329396554C2A3B19909C3E29D0297FA2047460BBBCAE56D3060E49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135900Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:39.119{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38A332ECCF8163C70DEBEE5E265B528D,SHA256=7109191C9F5D5E875F0BA7F48EDD0A30B79461D13AD8781768F21BFEA4A71C9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190955Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:40.243{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2E3D403D854E48123B04B2D4A5A828B,SHA256=03014D51415CA09D1BD59ED76D486CA1AF963C001F928EA4068B172F5DE81E60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135914Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:40.557{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CB3C-6218-AC03-000000003802}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135913Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:40.557{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135912Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:40.557{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135911Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:40.557{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135910Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:40.557{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135909Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:40.557{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135908Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:40.557{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135907Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:40.557{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135906Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:40.557{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135905Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:40.557{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135904Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:40.557{6AAC6DF5-B0AF-6218-0500-000000003802}4241012C:\Windows\system32\csrss.exe{6AAC6DF5-CB3C-6218-AC03-000000003802}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000135903Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:40.557{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CB3C-6218-AC03-000000003802}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000135902Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:40.557{6AAC6DF5-CB3C-6218-AC03-000000003802}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000135901Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:40.135{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA00F35B37F521BE02E2E58FA8A12C6D,SHA256=312D6B5ACAFBC4B68BF78A1D7B479EEE5CD7B9A28006E49DC3703B0430489714,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190954Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:39.164{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52736-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000190956Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:41.243{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA2186B02E513A99AA324C9CE40B016B,SHA256=66692CC0C2F70F2BEB2E711249BB600938D95E945ECF42D05E94081A49EC11E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135945Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:41.900{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CB3D-6218-AE03-000000003802}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135944Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:41.900{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135943Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:41.900{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135942Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:41.900{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135941Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:41.900{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135940Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:41.900{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135939Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:41.900{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135938Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:41.900{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135937Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:41.900{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135936Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:41.900{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135935Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:41.900{6AAC6DF5-B0AF-6218-0500-000000003802}4241012C:\Windows\system32\csrss.exe{6AAC6DF5-CB3D-6218-AE03-000000003802}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000135934Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:41.900{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CB3D-6218-AE03-000000003802}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000135933Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:41.901{6AAC6DF5-CB3D-6218-AE03-000000003802}1356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000135932Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:41.572{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC18CE0F0D204835E0C337A36F54963F,SHA256=F6CE3922008EB47A1C8520DC6E1F2F9233B1F6DC0FCB8714D5230C5850F7D126,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135931Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:41.572{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73D2C3C7DE9E412204E68BA442C0C31C,SHA256=4738B34CC2DDAFE8289C58EF669D23F52976F94C8469E0625AFA13F502070427,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135930Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:41.400{6AAC6DF5-CB3D-6218-AD03-000000003802}13762788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135929Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:41.228{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CB3D-6218-AD03-000000003802}1376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135928Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:41.228{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135927Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:41.228{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135926Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:41.228{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135925Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:41.228{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135924Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:41.228{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135923Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:41.228{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135922Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:41.228{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135921Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:41.228{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135920Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:41.228{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135919Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:41.228{6AAC6DF5-B0AF-6218-0500-000000003802}424440C:\Windows\system32\csrss.exe{6AAC6DF5-CB3D-6218-AD03-000000003802}1376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000135918Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:41.228{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CB3D-6218-AD03-000000003802}1376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000135917Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:41.229{6AAC6DF5-CB3D-6218-AD03-000000003802}1376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000135916Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:39.602{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal51018-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135915Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:41.166{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA2DEFF8F8362BAB7D6A445205257EE3,SHA256=EEF8EC81F2E7BF51E78314E8EBDC03C0515BB272F463F5EE8DFB78CB486859E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190958Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:42.306{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D18D226DCF0B7082D14C8BBAFA45C806,SHA256=D4839146CABEABAAFB6EF3914FCA6523B74376D012F027D26B558D5B4E0791B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135947Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:42.932{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC18CE0F0D204835E0C337A36F54963F,SHA256=F6CE3922008EB47A1C8520DC6E1F2F9233B1F6DC0FCB8714D5230C5850F7D126,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135946Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:42.400{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5937869EC49E587D3D34A9F51F41E9B7,SHA256=4985C806F399DE62483AE4B0FD246ACED6BD784BCF2B181D146ECFCC0DBF2792,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190957Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:40.555{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52737-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000190959Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:43.337{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB74283B242D259C91AB1AA094847D56,SHA256=4981E18D17A1E40CEBB0946F8E03D1EC4AC504F76DE04BB432FFBC55501CF2BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135948Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:43.447{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20778850E27537CBE5B3143CED9B5ECD,SHA256=CEE8EFF8F022C446C49F649565FF4C4995ED6728B4148AC75DA9F88F97405070,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135976Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:44.978{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CB40-6218-B003-000000003802}2980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135975Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:44.978{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135974Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:44.978{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135973Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:44.978{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135972Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:44.978{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135971Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:44.978{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135970Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:44.978{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135969Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:44.978{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135968Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:44.978{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135967Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:44.978{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135966Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:44.978{6AAC6DF5-B0AF-6218-0500-000000003802}424540C:\Windows\system32\csrss.exe{6AAC6DF5-CB40-6218-B003-000000003802}2980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000135965Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:44.978{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CB40-6218-B003-000000003802}2980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000135964Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:44.979{6AAC6DF5-CB40-6218-B003-000000003802}2980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000135963Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:44.697{6AAC6DF5-CB40-6218-AF03-000000003802}31323296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135962Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:44.478{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CB40-6218-AF03-000000003802}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000135961Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:44.478{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ECBF7B121602CF4D6434A26DE610C10,SHA256=91614D123D958C69D18183FE9561B3E8530218DAD468348052440E78A1E4DD3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135960Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:44.478{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135959Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:44.478{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135958Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:44.478{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135957Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:44.478{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135956Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:44.478{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135955Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:44.478{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135954Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:44.478{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135953Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:44.478{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135952Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:44.478{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135951Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:44.478{6AAC6DF5-B0AF-6218-0500-000000003802}424540C:\Windows\system32\csrss.exe{6AAC6DF5-CB40-6218-AF03-000000003802}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000135950Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:44.478{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CB40-6218-AF03-000000003802}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000135949Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:44.480{6AAC6DF5-CB40-6218-AF03-000000003802}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000190960Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:44.446{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C0D5A641B63BE28D6A0AAB702C75D03,SHA256=F767BE3217CA590AD7D9C243F59E89DB8949767A94C32963A3FCABCCCDA426EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135979Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:45.932{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8996DA9BD4E2B93BAF385B6830947045,SHA256=0F58C985DABAD19BFEE1AC88B274FAC9C170DD65A959D4EBFF241F5E9650AD6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135978Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:45.510{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A1B3819F661C936CA6F938431EA95EA,SHA256=8A008FC0597A995AE11EF2644BA4D2A7E9106A2AD7B6328C58CB66E571881220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190961Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:45.462{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D3538052756B790697241E8D146CC0C,SHA256=50BFE3FDAAB9420ED9C0F1D4B2E7EDD9D649812F39B67EF030A4616BFB247179,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135977Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:45.150{6AAC6DF5-CB40-6218-B003-000000003802}2980744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000190962Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:46.477{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E5A7B2BEC8E80B1ADD5E5C4884C9640,SHA256=1C451421E81A795EE390FB66351786ABF21A939A4FFEC483DCC3B70953BE7B34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000135994Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:46.947{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CB42-6218-B103-000000003802}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135993Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:46.947{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135992Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:46.947{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135991Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:46.947{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135990Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:46.947{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135989Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:46.947{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135988Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:46.947{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135987Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:46.947{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135986Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:46.947{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135985Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:46.947{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000135984Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:46.947{6AAC6DF5-B0AF-6218-0500-000000003802}424440C:\Windows\system32\csrss.exe{6AAC6DF5-CB42-6218-B103-000000003802}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000135983Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:46.947{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CB42-6218-B103-000000003802}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000135982Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:46.948{6AAC6DF5-CB42-6218-B103-000000003802}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000135981Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:44.633{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal51019-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000135980Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:46.557{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFD436FD8263A8ADDB6CAA02DDC5D1E2,SHA256=3BDE9ABD64B3215AAFFF8ED7CDEF3324DCBE30600BE02C01CB5EE5CF8A4D4C8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190964Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:47.477{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=585D62EB7059800E2C28CB0C0E10350B,SHA256=E1A5DC218B120B73935646DA4E1E74C19BB12F20895F5D626C9C7AE6665C9485,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135997Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:47.947{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7BEFCF2A520B5E918DF7A623987598B,SHA256=5BE5FECCCEE00A96DDF1236CE1B5FE23E2F0B003857089259BE381CBB783C960,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000135996Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:47.588{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55768F1A2B83A39D912F89CEC8C57C08,SHA256=C38E02F700F5418BE90CF4D04FBCE1416D58C811162C57C0D4BB98D5594CB365,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190963Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:45.570{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52738-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000135995Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:47.135{6AAC6DF5-CB42-6218-B103-000000003802}26363472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000190965Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:48.493{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5063A8B1F5109FADB6021FFB5912C9D1,SHA256=498F6AE913AC191D4575B38422947D7603BD8C6F63AAC8E0BF61105080F73C9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136011Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:48.619{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BF26520B8D0A29833B59F900A9349F2,SHA256=F865E1509341C250446DB3EC9C7AF855EDDFDDAA6CB8D7771B4FC3AFCC8C210E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000136010Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:48.057{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CB44-6218-B203-000000003802}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136009Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:48.057{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136008Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:48.057{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136007Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:48.057{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136006Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:48.057{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136005Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:48.057{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136004Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:48.057{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136003Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:48.057{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136002Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:48.057{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136001Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:48.057{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136000Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:48.057{6AAC6DF5-B0AF-6218-0500-000000003802}424440C:\Windows\system32\csrss.exe{6AAC6DF5-CB44-6218-B203-000000003802}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000135999Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:48.057{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CB44-6218-B203-000000003802}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000135998Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:48.057{6AAC6DF5-CB44-6218-B203-000000003802}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000190966Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:49.524{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B27844873164D7AA448364583A6321B6,SHA256=420D46CCC1D194D19441402EC6B8611C3F31A07E6A4F5799CB7B919153B2BF20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136013Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:49.635{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D23547B26AEFB7E597719E6527422A3A,SHA256=F459C118C6FD2880D56DEB0BAB84B6CA229A9BF4A94B30266713381C4E686263,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136012Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:49.072{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C58CAEECED234DC08279D94A37D40D5,SHA256=2331110AAD0305F06A6D5D22C398289DE8FFB5986FA5B141C679035F663B3F7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136014Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:50.697{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=820A805CEDC77E2574CD6A0FC25326C8,SHA256=AF185A98906CFE0B904FD808AA5930EC8D5D3C527EFCE90B63BDF1A9077DBBF6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190983Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:50.868{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CB46-6218-0104-000000003702}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190982Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:50.868{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190981Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:50.868{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190980Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:50.868{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190979Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:50.868{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190978Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:50.868{414E8EDF-B0AE-6218-0500-000000003702}416432C:\Windows\system32\csrss.exe{414E8EDF-CB46-6218-0104-000000003702}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190977Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:50.868{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CB46-6218-0104-000000003702}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190976Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:50.869{414E8EDF-CB46-6218-0104-000000003702}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000190975Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:50.556{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F7EC71CE8B07A6B571C32F19234C782,SHA256=24A32453B925329B8F23C33507A9F7AC3F1ACF14DDB36570CB2BD7D82A38FFF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190974Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:50.368{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CB46-6218-0004-000000003702}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190973Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:50.368{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190972Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:50.368{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190971Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:50.368{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190970Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:50.368{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190969Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:50.368{414E8EDF-B0AE-6218-0500-000000003702}416372C:\Windows\system32\csrss.exe{414E8EDF-CB46-6218-0004-000000003702}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190968Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:50.368{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CB46-6218-0004-000000003702}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190967Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:50.369{414E8EDF-CB46-6218-0004-000000003702}1564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000136015Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:51.728{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8578DEF5758BE61ED1C41C23A000F1C,SHA256=F08537095F8DCD9A339C4F7153D38DA1EFA617A90435DA7A126572AA0E3660AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191004Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:51.993{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CB47-6218-0304-000000003702}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191003Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:51.993{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191002Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:51.993{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191001Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:51.993{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191000Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:51.993{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190999Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:51.993{414E8EDF-B0AE-6218-0500-000000003702}416532C:\Windows\system32\csrss.exe{414E8EDF-CB47-6218-0304-000000003702}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190998Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:51.993{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CB47-6218-0304-000000003702}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190997Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:51.994{414E8EDF-CB47-6218-0304-000000003702}5924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000190996Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:51.743{414E8EDF-CB47-6218-0204-000000003702}28442424C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000190995Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:51.587{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC50557FE43D9238D3A4C59CEC568BB8,SHA256=B8344D6EF585B08D0F2C83A41B19298C05EBBE79C2A2C2E591CB0C2AEC241491,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190994Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:51.493{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CB47-6218-0204-000000003702}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190993Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:51.493{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190992Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:51.493{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190991Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:51.493{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190990Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:51.493{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190989Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:51.493{414E8EDF-B0AE-6218-0500-000000003702}416432C:\Windows\system32\csrss.exe{414E8EDF-CB47-6218-0204-000000003702}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190988Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:51.493{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CB47-6218-0204-000000003702}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190987Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:51.494{414E8EDF-CB47-6218-0204-000000003702}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000190986Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:51.477{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=511BB45AE1F883955F13C4439F6045C5,SHA256=3F013A4475B29A32341FD9CF3561B337A580808A6730597A58EB1A6272AA4052,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190985Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:51.477{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B404EA220B2DC32081F134F063AB1064,SHA256=D80A09EF50EC7A33E25DC9B8EC85C2403412C04A2F1838FBA397E375117F88FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190984Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:50.633{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52739-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000136017Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:50.633{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal51020-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000136016Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:52.744{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3A8F6594535AE127D86C8B314008BC9,SHA256=1362F1021D251F2B1E549DFECCC8AEE41D88A103CDC6B5F7869A7E4783DA12D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191015Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:52.790{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CB48-6218-0404-000000003702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191014Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:52.790{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191013Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:52.790{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191012Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:52.790{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191011Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:52.790{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191010Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:52.790{414E8EDF-B0AE-6218-0500-000000003702}416372C:\Windows\system32\csrss.exe{414E8EDF-CB48-6218-0404-000000003702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191009Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:52.790{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CB48-6218-0404-000000003702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191008Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:52.792{414E8EDF-CB48-6218-0404-000000003702}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000191007Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:52.649{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CD91468B53841FD0172D8AE3B30A5D4,SHA256=01D94EE40F7AB91AA03F7DD1B05FA51D71AE928A22904636A916254CB5F845B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191006Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:52.524{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=511BB45AE1F883955F13C4439F6045C5,SHA256=3F013A4475B29A32341FD9CF3561B337A580808A6730597A58EB1A6272AA4052,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191005Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:52.259{414E8EDF-CB47-6218-0304-000000003702}59245108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191027Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:53.946{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=036015528A4BFEF3A15D528E54A36183,SHA256=E264E57CCEFD9D8E944EB8706225D917DDB39135FFB5737F08C84E8E92B3142D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191026Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:53.650{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7D5C91014C6EFB9A4A85178FA6E29BC,SHA256=EF37F999917B0BFD4F918716049CDC5E89780A85E1385E7A6A4356134FB3F131,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136018Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:53.760{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E3D8979563882D86A96ED98E281BAEB,SHA256=707B5A42D5FC62BF23D76318A527A50885B3FE29F6463D1BA8E76B37CA3B4C6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191025Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:53.431{414E8EDF-CB49-6218-0504-000000003702}33806024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191024Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:53.290{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CB49-6218-0504-000000003702}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191023Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:53.290{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191022Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:53.290{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191021Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:53.290{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191020Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:53.290{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191019Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:53.290{414E8EDF-B0AE-6218-0500-000000003702}416372C:\Windows\system32\csrss.exe{414E8EDF-CB49-6218-0504-000000003702}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191018Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:53.290{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CB49-6218-0504-000000003702}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191017Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:53.291{414E8EDF-CB49-6218-0504-000000003702}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000191016Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:53.040{414E8EDF-CB48-6218-0404-000000003702}26722044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191030Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:54.727{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED048B95F5AA63B1AD3DB4F864FBDB8B,SHA256=7A68B3A7B3D40E8C58896E9391D5718FC12D6D133CC934BC922DE27287DE14E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136019Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:54.775{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65FAEFC95CA4C9969A2D99C88B185BA4,SHA256=7501568127D57C0FD870E3D34670438D96AC26911050D1747750C516DD239885,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191029Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:52.914{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local52740-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local389ldap 354300x8000000000000000191028Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:52.914{414E8EDF-B0BE-6218-2B00-000000003702}2820C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local52740-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local389ldap 23542300x8000000000000000136020Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:55.822{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E0C066788DC86197C946AEFF0BFCC1A,SHA256=831A69C3D1A6819FDD9ECB0DA205F84A003D9C4A95CFA6E336ADAAF38E9A3072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191031Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:55.759{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFDE1DC3479C79EEF45362D18A388F87,SHA256=806F3E4CCA64A97ADFECFDE235FE390FB42925DF48C31FEDF6E3F9A8ED189971,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136021Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:56.838{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23AA185E708CFA5402ECE1B100A9AE2E,SHA256=7146C8A5F0F285C796173603454B5A3DE0EDAEE3BAFC6AD51E63DE4546474125,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:56.759{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ECD87A968817310E8558EA2AD765C6F,SHA256=780F01352674120D54B0042BBD67212E15C2BF82DADE03796EECFC76A3270E17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:56.681{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CB4C-6218-0604-000000003702}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:56.681{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:56.681{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:56.681{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:56.681{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:56.681{414E8EDF-B0AE-6218-0500-000000003702}4165324C:\Windows\system32\csrss.exe{414E8EDF-CB4C-6218-0604-000000003702}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191033Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:56.681{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CB4C-6218-0604-000000003702}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191032Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:56.681{414E8EDF-CB4C-6218-0604-000000003702}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000136022Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:57.900{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22F6E56F7CBE2C922A52825184B35807,SHA256=C7951FBD09A9C1C570D2BF99632AD8266C4E93D7F6EC7A65231875A1D3649B26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:57.978{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D839A081350ED14045F237A3104C5C9C,SHA256=DFD87C227698FA7D45BF056546592FB21D6E6B1007ADC226DD2459AFE3CCD723,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:57.899{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E34F3DDEE4ED83A2ABAE83EFA778FA6,SHA256=FEB277EFF98C4FA9C43FDA806664173F1D31DCA9567C908778C6675A09439A5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:56.649{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52741-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000136024Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:58.900{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D249380DCD402D6FB9A05D5E1D6DB244,SHA256=A624EBAA947AE32342AB60E8211A0B36A17048870403B545ED9F68C1206722FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000136023Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:55.742{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal51021-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000136025Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:27:59.947{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40CA8AD141CDB045BBB7962096756356,SHA256=F8F97878CFDF6B8E7D34CB2A07FD4883A41B42680EE7352F88A7029A54730A12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:27:59.024{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C2A99E4FA425D54FCD381B80121D40E,SHA256=DBB54A5706CBE4166291C20DD1CD0CA747972B354D41862B61F84C699CAA0DA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136026Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:00.947{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=631425A872C8B906A738C54E25D49D6D,SHA256=3EC02863E7D60514CC8977AF1B8AFDFE21117DCBB27BCA62E6E4C5A6B4FD7AA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:00.056{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C819B41FBA16570C0ACD021EB279293,SHA256=44BB0D49EDF5883AC7BB5F00AE37CA84689CA8A58881EDDA3307D93511A33903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136027Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:01.963{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80EAE00B0BD750420FEB0E34F7F27EBF,SHA256=5247CDE7FD59861547DE5F2F58BB6E09569FBCF5B4E0154DCD8349B1C701E3A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:01.134{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=828BD21562D451A1ADA713AABB8A41E1,SHA256=F4BE9B04F8488DBBC1D816CD15731C93FA87BCFBC2B4BB2DAE0639789F253475,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:02.149{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AE47ED9B196A2C94464AFED9977E4A5,SHA256=5EE7EA67A16C4B76BF35750366FEF10FE9C2DD5DA509FCCCD4410DA8568E696C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:03.384{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=218B455CF820B1439EA000E82127B4F2,SHA256=64209301D26C1B875664DAE6C3F7C9D5462BA5CC0A6C4A3D4F74239F13B8B5BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136028Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:03.025{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=900AFD71FD683577927459C1EB8B2E31,SHA256=43E577ED81BD76F7A20D6FF5D0D590CCBD759CC97E7DCB323EC96594C340CD44,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:02.602{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52742-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000191049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:04.415{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72306C4EC312F474C1E156D365B39C85,SHA256=F092F5D4551F09EFEEA2EC8CEBEAB4D472F59644DB526265F577B63FEAB3A21F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000136030Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:01.727{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal51022-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000136029Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:04.072{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F39255B45313C630DF175F717034B79,SHA256=29279974620D8F91857AAC268124AEF704C44554FC795777E33BED1A95E8D287,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:05.478{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=843EB28F84661956251B02EE080C40A1,SHA256=B7028F83C01F5F5F94FD754102E05B8488B25E5E922D91F6B0A618DF3C54B3C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136031Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:05.088{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46701BDF7DF6F70D66BC8E0BCF884DC2,SHA256=34976B6AEF4593365B28B08F4F582033332C52608AEF24A739E66A8D726AE091,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:06.493{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA88683735B37429B9D9CD73F7B61C95,SHA256=07EE8C559405C4B31245D00A7821A0DDC25637595B05CDC96324A3A3396C3D56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136032Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:06.150{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBAC90636C431FDFA6ECA6ED9A3BFD77,SHA256=AA181EB9875519069B052E2800834C22C518F22B47A6273F7FD64672C0F900A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:07.493{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9675133C6546E0711580499F5FD40CEC,SHA256=496672BC3F389E081CAE085C05FF6D1CA5F023BA8A1A4B02F58A927CDD29981D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136033Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:07.150{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09913A1A0346B3BA8CFE589DE2B27FA1,SHA256=1274B64D4B6A2A76579C7702554209777A768D7C348C7969EE8760E820BFC76B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:08.728{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68A4181EF49166F1F93734A796A791B9,SHA256=6B966ED6A3883790234BC90A95B681C7AB0DF16B857B910DEBA3B3879ECD8B72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136034Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:08.182{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A23D830E6E8E8A315519ADA052F1BADE,SHA256=46C6F15CF9912AF8E953552EABC5D9A01FF3F83EAF27F7335D2E6C0D69B143A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:08.586{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52743-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000191055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:09.728{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F4B05D2C64B13937BD117379D34FB70,SHA256=369559B259C9BC9341A11A0E81971854DE96B399B0CFC880FAE2E48A4F56CCE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136035Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:09.182{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=693E7E77B3F0B1C84E4B8D966F4C4E54,SHA256=DA1C0424227E07972C2A5C92A699355DB48124B11E84EB921744B57198CB865E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:10.806{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07AFE7FCDD3ACB6493613EF9965687A5,SHA256=D9504100DF348CA4371E3EE7BE434785BDD54C501E0B798D04FD203BB30EC1FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000136037Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:07.742{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal51023-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000136036Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:10.244{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1A0A24FD74F473899E51335DBC7E1D7,SHA256=8CDCC84D09ED72927BE62F2F1546D598FE6377B4B17D1C134C94E0C9465A37E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:11.821{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A212998848170B4BFCB3CDB1FD9D46D3,SHA256=699B81F33FD6BE196DC0C084EF1668AD04DDD86E77B2A2C94A19650146EA5F18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136038Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:11.291{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=158D96D8AE84276F7548ADBB98C67435,SHA256=0DAA84D6DB1889DE121103D1EAE53BB7512B8FAA826BB14F879182966927457C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:12.837{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B3DEACFACC4DB00F48E3E94641E2713,SHA256=FECAFE8CAA23976BDD6CB65E2A9CEEBC43D07E57A210AF9693E1E42D8106BAE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136039Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:12.385{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FCE6DD7FD2E1961E8E1169F9F82F210,SHA256=C9F14843D3779B4EC20BEBF457DA80ABD1F1EDBF0F001AA356380BBDAC1014D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:13.853{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35F853A70BB58C53D3DE05705B0B9755,SHA256=96336CA665FF674F56CEE6BD146940B13288E23138DD2169E786522D0250B507,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136040Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:13.416{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63F91B94A567CB3A1D5FB032974B7935,SHA256=E4303544BCDB2F1A3F8ADEE5E125F0FFE8BC3068FAAAD9FA949CF278F71015B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:14.900{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A970456E7B8889FB6F69F2C3936C9B4C,SHA256=D61AD0C417894B788F58669914E3CE5A91A5710B3BB2D39BD327052EBBBFC49A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136041Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:14.463{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0CD153DE84CCE6150B44D09E12406A7,SHA256=0B75847A1D71AB91353AC168644D87C9F5DAAF54AF9BDDE3E5EB65AF6EF30756,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:14.554{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52744-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000191062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:15.900{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5642878806339A694E0E93B6341DF930,SHA256=4F98F4A182AE6C5F90E40A6D97B2BC84DE534CD7CE0963AF89D3BF3B26C0DCE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000136043Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:13.539{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal51024-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000136042Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:15.494{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=615D4C9E43DE73D41EF10769AD7A861B,SHA256=9220392FA410507A60DD5CCFD5DFA9C6F711586FAAF16C7550B4823274FB0CE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:16.915{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A920ABF32CC9850B664182E95DBC258,SHA256=04C507089C0307C56053E524B38F92F1E7B254F9290904F08A25451714CFE3C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136044Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:16.494{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F54F44F9CDF8266370761790AAD4D92F,SHA256=CD63B2B8CF3E81C1902915BD939FEA9CA3570935812E80D2735CAFBDBA538363,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:17.946{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A9BDECD8D3B4D94C946A43C89D9ACD9,SHA256=CFF8C08163F1996737EA94DDF23C19A1B2EC531AE9033B1F88DE5A3AD16A90BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136045Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:17.510{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEACCF879BF06688A6C5A8CF87B4572F,SHA256=D292A397CAD586CCE4AA10E68B941BBC122746DE427E734C8E10D90B864AAADC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136047Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:18.532{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55B9528DFFBEA6B93B106A81BE6C1B04,SHA256=3C124A1E62573C1B621E5B8524C50989D79BDB0D14B589E69803FE09B70D73F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136046Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:18.254{6AAC6DF5-B0B2-6218-1D00-000000003802}1952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d7ccee276d30a4b6\channels\health\respondent-20220225103429-110MD5=FBD42F5F8AA0DC0DD6067820063FF10B,SHA256=AAA41009555F09EFB0ED817562D7125DD50A33AE671816E82835424EE5CAE232,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136049Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:19.562{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B4814777069CAD17E3B8D9F6C04DD13,SHA256=B02C475ACCDFABB9226A0A0113A593559A9FD8F5826A022EDAD4F5AD2ADB4C5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:19.025{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD3361D1812B836645B3A5AC50DB50C2,SHA256=A90F281652C3565B781D4551F9668D08E62755B1DB81A9430CC684B71EA33530,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136048Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:19.252{6AAC6DF5-B0B2-6218-1D00-000000003802}1952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d7ccee276d30a4b6\channels\health\surveyor-20220225103427-111MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000136051Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:18.686{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal51025-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000136050Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:20.580{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E040536C728BBE07FD399A382BF2FD9,SHA256=24CC0DD7AB312D7C579256A1B38A47F5931216EA03FAABACA15DDF450FF0389A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:20.025{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BF07BB2253BB93684366DF93B774311,SHA256=E64CBEB53BCD65CBE72A23950B3A62A8412ECF8943997E28FB820ACC8EF99EA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136052Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:21.596{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D51C25004435778F6ACCA84D14E9D4E,SHA256=31B49E8B371ABDE6B7FA5467993BFEB0052390930631CB7D5D360F67D709E91E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:21.431{414E8EDF-B0B0-6218-0D00-000000003702}9005868C:\Windows\system32\svchost.exe{414E8EDF-B0DA-6218-7D00-000000003702}4500C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000191069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:19.648{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52745-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000191068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:21.040{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C85A27854FFE277A07A4F5EE77B5B3C,SHA256=5BC48F3AB77D1E20499395A184841D808FDF49B06E484E44176A27B4D72632B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136053Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:22.627{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=304270525A21150056351A7EC1A6EC03,SHA256=BD146EEEE18D7D8635CDFC18776A7EC9681707A0CFD5445A0CED916600C5E0B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:22.071{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE9C50451067814BE6E8AF94B59802C1,SHA256=A31D22AC1C2A6662F68420DDFC17D71E391EA71C7B71176563A0872FA3A8958F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136054Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:23.658{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42BFA618549E2DBE97EBF9CFBBD51956,SHA256=0E533F87EEAE8EC9BB62E864AB77171E4C8F97D4F2D2B4B37951A3D17BF8A47A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:23.071{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26503DD98C9E94C4AB5DD5559407A1B5,SHA256=D22FF3764905B13A0F1A2790F0A78BF45607848BD8F4D5C7FD61232C184CFB1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136055Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:24.658{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B150204B65E86ED9F288567BC051605B,SHA256=D0ABA8D40C04ED2B5F1F8CD1DFF71B0C0B935139FE49DFA84D780F2D73F9FC5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:24.134{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12896B7243012C0E5DF1E9F171FD0DCE,SHA256=D897454AF3DA008A927C9B8DB6D233AA07D47B06518F45588D04DCCF061BB04F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136056Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:25.674{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5908F6EDCC4A7383978FFD0C72D1B67A,SHA256=DB9EA87F8DA91BCDC39329B548DA573D60F5BD33B11F5A7DECA298394A240698,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:25.540{414E8EDF-B0B1-6218-1100-000000003702}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=54173A4AA6AA4E34F9F1191D10ACBCE1,SHA256=BB372CE5BBEECC164F1775454424AA64C504DBDC51F207632A8DF155365892A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:25.181{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=361E53F275E8247E60FBC68D99273A1F,SHA256=70048A2D2E2E3BD3F9003AB39915EA354CB08671954EB53052E30993714DCDDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136059Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:26.830{6AAC6DF5-B0B1-6218-1300-000000003802}108NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D224C43D3E256783F0D17253E10764F1,SHA256=E70183B69AD5890176F0A407AC653C8B42A569D1592F7C86D1959CEBFABE87D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000136058Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:24.547{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal51026-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000136057Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:26.689{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C2DD9A0205C383E237B06BC4C79F5C6,SHA256=819168622DC4007DA5D8D1E9083728BA3A866B10F0CE9A14D7EB3E80284745D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:26.181{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=037F7099F0559B7D6AD01A5733F07078,SHA256=A6028E742C8DEF89DEF7631A698E84E7315FE7707AB36E713C5B8098C67273F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136060Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:27.689{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0F2089497A75984593A19C2E4F46BFD,SHA256=E9AB9D148957B627AF3B2C54CFA1B80FB3699DA4271422C2B04B4DE89A6D8EEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:27.212{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86FE8E1AB0B2287F0C3D048F054EEA5E,SHA256=C486B3AC31A55EF6BB33A26A2466C2A9771DB2C18E0371DA5DF111C7B35B3DDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:25.617{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52746-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000136061Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:28.705{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A2FC38F128A2E31BBF1A60F2B7F3131,SHA256=59F7321E56EA372DEFB0A6435CA87F2E4F1D108C6DEB03067D9E1485E360EF7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:28.212{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F79FC7A701992ED7B476DCA09D34185,SHA256=B0BCC9641551F2F3CA45B04BA70309290119011A494754E2BC4F0EF9C9DA6C9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136062Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:29.721{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B44CDFBD78F1C68CDBB442ECFB0DA360,SHA256=D996BA8BB10449E11BA815292E702098F2BFDB63282C26B142DCC46D7473D482,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:29.307{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9B7E97EF0B4F3BDF9A83703F0DE6A78,SHA256=A8827051DC6CC78A8BB1FBC3867AA6CBBB2C5BE711A1F389ECAEF1A464545C8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:29.012{414E8EDF-B0BE-6218-2400-000000003702}2716NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0cad71091a725587e\channels\health\respondent-20220225103441-110MD5=E961008872A85D9E7B2EDCDB9076BE5A,SHA256=4C7B4263F3F8553ACCFCCC53A0FA56737D447810FFCB4A43A3BA8D688A9FDFED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136064Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:30.736{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C4CFD271E3B13CAD7C9D731C0111B7B,SHA256=BE8F882D3372F0145B041D915868AA5E37597291B03B414739F8B0B3225B6B02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:30.320{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94289CD510CD67ADD0153D42B680144E,SHA256=1787BC4EEA2F41E4F364F189934B63FF88B238BA5950DB0BB6A593222EEDCBE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136063Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:30.283{6AAC6DF5-B0B2-6218-2200-000000003802}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4A396A40DE4AD844AFDFD6BFEE34209D,SHA256=ABC582D2644B8C5C1CF17206963A01B55D9A40BBB1979B03D8F2D216AA803ABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:30.027{414E8EDF-B0BE-6218-2400-000000003702}2716NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0cad71091a725587e\channels\health\surveyor-20220225103439-111MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136065Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:31.752{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CED79C9D3133C34E903152238323D476,SHA256=42EFD22F91CD06D8C2081279973C8EBB07D403C56CC7B175770AB56325C48851,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:31.324{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A11DEDE79250537E9488C75470219A33,SHA256=FF83C38D1AE7654A9CD15ECA5B6EAF627F6A0384BA5E9FCB1D145DE8940705E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136067Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:32.767{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03FA490F35B7A4489CFDEE1E694040B9,SHA256=0C7D619FF5BC8967FE720CA2EB84501896D4564F6F5689DF13CA99A405F55D8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:32.324{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=489A0A27A90674770033F89D2C1E4F0A,SHA256=D9D8F2415CFD17A3AC368210CDF1C8FC0207D9C190C46818FA7CF4FCE52A2447,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000136066Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:29.766{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal51027-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000136069Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:33.767{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C93E539D4738AC2698A88644FB8CDE0F,SHA256=669855302500C9B09C35F89DDE0573B8A7EF184DE897CA1A1092D7E64C301288,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:31.556{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52747-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000191086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:33.324{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F543E1AF16891629A3352C644DAA0437,SHA256=F938198302829465329FCBB0244BC996EEE8725EF078D7D73933C7ED25736E56,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000136068Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:30.562{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal51028-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000136070Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:34.783{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7695D3940A33A2049B31CAE73994993F,SHA256=13602C6B22F495AD969994F3E9D930B7CAD50A23BDC48F5D4ABB75D2A66CD1C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:34.339{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B683EB113E535C05FA226561C2B01E6,SHA256=159FE467E8A895BF099BAEBE74A109EA18FD28FF700936881A0D054BF990DC2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136071Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:35.799{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43210253C782B8CBECBB5120981B0E0E,SHA256=2CAA120B0893F7ABB456047C5CEF9CD0F31398BE7E51BE8DE7D2F3F6D9FA8602,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:35.340{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F296B773CA54DF39058A25EE1D69A545,SHA256=B13C11C7EC0A6E5EC0D70255A2BFD734C7ED5F05952F1800C5D01EC056D9A361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136072Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:36.814{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E7485AAA435D96A365BEB8E8AEC0636,SHA256=EB32556517535D672AB05855BE60E5E89AE4800A04D4A9C3C5C9A4EE20AAE8F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:36.355{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1538D9AA17EF5911AD3B176D47EDD1EC,SHA256=57D7105F9CB9684D62D620B2DDD020F0710E6E9CFBA8D248DBD1A4DF605DD61A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136073Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:37.830{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E624FFBFA8CF6266668A642A323B8061,SHA256=461B61D7D48E51A5A3DD8F00E0CEA5DA5034953FB68596BDBF6F4AF770BFCCD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:37.370{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26534545CFDFC10D3A1C8645A028DF70,SHA256=F0ED1CBEE17BC77D98C13C1311D41A4036EACF9EEF3335419E5CBDC277E2B8C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136074Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:38.846{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D01D41789957D0F2CF458ABB44FD5BCF,SHA256=1799CA26CB055DCB0DB9401509841AF6E18BC882D02CDE860E92944D0F53A7DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:38.699{414E8EDF-B0BE-6218-2900-000000003702}2792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4A396A40DE4AD844AFDFD6BFEE34209D,SHA256=ABC582D2644B8C5C1CF17206963A01B55D9A40BBB1979B03D8F2D216AA803ABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:38.386{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6616E230A8AAA219A0EA01C10C635B46,SHA256=031F7443A874B2936C8F9DFC30CF79FA45C67AFA742B46D688BA539FB7CF72F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136076Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:39.861{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=154EAC5BFC7797DB07DE12653DB946D7,SHA256=E55D27608DCE19BF7569F56AA2D9A2E11AC917EEA466CF1F8AA97FD1ACE9EAE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:37.557{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52748-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000191094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:39.386{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DCF6A6C4A4A2537213CD6C91A5D2F39,SHA256=88362377F3AFF68DCDE5C244B6A6200EAB2B0EBBA91DCE79915A0D7A65D99D9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000136075Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:36.609{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal51029-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000136090Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:40.877{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90B90A117E647D31B8DDE7E57373A61F,SHA256=6E058FEA3BF62A31ADDE8F0AE708BCABBEBF70A646C37FCDDBF78D8608187D81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:40.402{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79F6FC4817BCA31703EEF20789885CAC,SHA256=4B1F0D65DB611C979E53C6F8BDC9601A5F68C6A1801F6821329CAEED7BC26DA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000136089Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:40.580{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CB78-6218-B303-000000003802}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136088Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:40.580{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136087Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:40.580{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136086Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:40.580{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136085Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:40.580{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136084Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:40.580{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136083Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:40.580{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136082Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:40.580{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136081Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:40.580{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136080Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:40.580{6AAC6DF5-B0AF-6218-0500-000000003802}424540C:\Windows\system32\csrss.exe{6AAC6DF5-CB78-6218-B303-000000003802}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000136079Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:40.580{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136078Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:40.580{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CB78-6218-B303-000000003802}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000136077Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:40.581{6AAC6DF5-CB78-6218-B303-000000003802}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000191096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:39.181{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52749-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x8000000000000000136120Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:41.924{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CB79-6218-B503-000000003802}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136119Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:41.924{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136118Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:41.924{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136117Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:41.924{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136116Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:41.924{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136115Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:41.924{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136114Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:41.924{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136113Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:41.924{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136112Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:41.924{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136111Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:41.924{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136110Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:41.924{6AAC6DF5-B0AF-6218-0500-000000003802}4241012C:\Windows\system32\csrss.exe{6AAC6DF5-CB79-6218-B503-000000003802}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000136109Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:41.924{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CB79-6218-B503-000000003802}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000136108Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:41.924{6AAC6DF5-CB79-6218-B503-000000003802}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000136107Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:41.892{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A43AF77B0A1F7A400FEF8C25C54F9301,SHA256=D35C97F4F18506ED3033A57DAA95546579EAEC97F72B04685A8B3CD381CF5EF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:41.417{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:41.417{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:41.417{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:41.417{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:41.417{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:41.417{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:41.417{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:41.417{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:41.417{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:41.417{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8A00-000000003702}4764C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:41.417{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8A00-000000003702}4764C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:41.417{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8A00-000000003702}4764C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:41.417{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2700-000000003702}2764C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:41.417{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2700-000000003702}2764C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:41.417{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:41.417{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:41.417{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:41.417{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:41.417{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:41.417{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:41.417{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:41.417{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:41.417{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:41.417{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:41.417{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:41.417{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:41.417{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:41.417{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:41.417{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:41.417{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:41.417{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:41.417{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:41.402{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30A0E712A2AFEB31844BDE5522742748,SHA256=4933031F222FC4BDC6A77EEE2085921C82E722CD491529F28C20D060C6DC2B92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136106Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:41.627{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=979D6A5F929717394B41AFEA44D93C63,SHA256=2D7C1058E0CD099348223517306E425B3E66721BC1EF10BB18B2D5DCDD911F28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136105Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:41.627{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3BA4CF1E286410A8139150DACEBCF92A,SHA256=167F2E808393BD8CF2449498D9DD497387DA9DC4546E8D0E2EB207E8994A4CF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000136104Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:41.439{6AAC6DF5-CB79-6218-B403-000000003802}30402816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136103Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:41.252{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CB79-6218-B403-000000003802}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136102Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:41.252{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136101Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:41.252{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136100Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:41.252{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136099Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:41.252{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136098Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:41.252{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136097Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:41.252{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136096Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:41.252{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136095Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:41.252{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136094Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:41.252{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136093Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:41.252{6AAC6DF5-B0AF-6218-0500-000000003802}424440C:\Windows\system32\csrss.exe{6AAC6DF5-CB79-6218-B403-000000003802}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000136092Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:41.252{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CB79-6218-B403-000000003802}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000136091Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:41.252{6AAC6DF5-CB79-6218-B403-000000003802}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000136122Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:42.971{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=979D6A5F929717394B41AFEA44D93C63,SHA256=2D7C1058E0CD099348223517306E425B3E66721BC1EF10BB18B2D5DCDD911F28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136121Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:42.939{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72A0D1EB2680F90FC2471A27D8196658,SHA256=58D76FAB65CC8A679D2589F286C49A8BB3EAD5AE75C335B0587749C58DD4C78A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:42.902{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95CDFE02A1EA38E907ADA417C0B7249A,SHA256=2D0477EA1A6746DC6F766FCA87853F1878E1EA2FF848E941B275CC328EC9811C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:43.917{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CD2152D479D860DFBFC5352E8C3B664,SHA256=54D9C58E982DE1D4E4000477D6638AF57385B0B390BFED752E9B10F923503B6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136123Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:43.939{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10786F40B40D4F0F5F4CF90AA221D936,SHA256=B8A076FD55AE60EF852DEAE032A3E8474C08C4A020273DE888572C3D0FDAFE76,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:42.759{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52750-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000191134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:44.996{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CD58FF80EF05CEF2CF71838F10F4F2F,SHA256=26350E8C939880EDB3473ABF6178691DFC0033E06AA3461EC2E900FEF52D178B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136139Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:44.971{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A87B6096E5697B8DDC7B7ECEAFD4C05,SHA256=0B3CB199D8D30D96E0AFB27902CFA8991768A970A782AAC6DAD2F1BA25C27E1A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000136138Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:42.609{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal51030-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000136137Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:44.596{6AAC6DF5-CB7C-6218-B603-000000003802}3544524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136136Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:44.439{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CB7C-6218-B603-000000003802}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136135Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:44.439{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136134Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:44.439{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136133Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:44.439{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136132Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:44.439{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136131Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:44.439{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136130Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:44.439{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136129Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:44.439{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136128Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:44.439{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136127Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:44.439{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136126Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:44.439{6AAC6DF5-B0AF-6218-0500-000000003802}4241012C:\Windows\system32\csrss.exe{6AAC6DF5-CB7C-6218-B603-000000003802}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000136125Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:44.439{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CB7C-6218-B603-000000003802}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000136124Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:44.440{6AAC6DF5-CB7C-6218-B603-000000003802}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000136155Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:45.986{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6485A0BBF4B3C8437F0B848ADC16407,SHA256=6D6D2F5838CB73DA7F243273DA9BDEF3319107559CBB0586124069DCA2C70BBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136154Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:45.502{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20FAEAA3B02F7E72A944A26A892287B2,SHA256=41736678D786887EE8C081788D9E6032D6F730BABC5D8AFE6EF4017AFEF158DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000136153Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:45.299{6AAC6DF5-CB7D-6218-B703-000000003802}36561720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136152Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:45.064{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CB7D-6218-B703-000000003802}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136151Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:45.064{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136150Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:45.064{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136149Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:45.064{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136148Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:45.064{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136147Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:45.064{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136146Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:45.064{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136145Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:45.064{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136144Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:45.064{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136143Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:45.064{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136142Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:45.064{6AAC6DF5-B0AF-6218-0500-000000003802}424540C:\Windows\system32\csrss.exe{6AAC6DF5-CB7D-6218-B703-000000003802}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000136141Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:45.064{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CB7D-6218-B703-000000003802}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000136140Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:45.066{6AAC6DF5-CB7D-6218-B703-000000003802}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000191135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:46.058{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=306CC64D400CD8145A18CB15C1ED7D5F,SHA256=8A99B84A014218A3FEB07757DDB7C79201A41E34C8577FD79560B7CAB73A6CE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000136168Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:46.955{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CB7E-6218-B803-000000003802}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136167Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:46.955{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136166Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:46.955{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136165Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:46.955{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136164Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:46.955{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136163Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:46.955{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136162Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:46.955{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136161Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:46.955{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136160Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:46.955{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136159Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:46.955{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136158Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:46.955{6AAC6DF5-B0AF-6218-0500-000000003802}424440C:\Windows\system32\csrss.exe{6AAC6DF5-CB7E-6218-B803-000000003802}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000136157Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:46.955{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CB7E-6218-B803-000000003802}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000136156Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:46.956{6AAC6DF5-CB7E-6218-B803-000000003802}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000136171Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:47.971{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0620AC2F40BCAB04E64FD1C715BAB15,SHA256=9DA3F2F7CFA44674B4D517CA81412D5ABEF903D34ABBA4D99E37062445BF7E87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000136170Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:47.158{6AAC6DF5-CB7E-6218-B803-000000003802}35923280C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000136169Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:47.002{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1490E7F609C4255074E6DDF0A7E87F02,SHA256=D571A99823EEC6CDCEC65781FF8D61CDEB60BEC88867E61D9DF7F07182F2B88C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:47.074{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1F9C21FE287A40B7B7F81C7523F53DD,SHA256=45087BC873A975A113222B5A6EB5D50BE927FB1B0624DA049FB6DADCFE20C80D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000136185Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:48.080{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-CB80-6218-B903-000000003802}660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136184Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:48.080{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136183Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:48.080{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136182Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:48.080{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136181Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:48.080{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136180Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:48.080{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136179Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:48.080{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136178Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:48.080{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136177Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:48.080{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136176Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:48.080{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000136175Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:48.080{6AAC6DF5-B0AF-6218-0500-000000003802}424440C:\Windows\system32\csrss.exe{6AAC6DF5-CB80-6218-B903-000000003802}660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000136174Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:48.080{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-CB80-6218-B903-000000003802}660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000136173Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:48.081{6AAC6DF5-CB80-6218-B903-000000003802}660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000136172Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:48.064{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E4937179D6AFF378E81A0D17E185B0F,SHA256=5460625D249C6051C8272311B5E11CF4F45AB9A189974A45F6642D037BCFF1E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:48.074{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF92F8BDAD803CB9F230DD6579F1AEA7,SHA256=CCAE1F73E5029846742B60DC2D31B3EFA6185B57F9D813B5EBB8E074B492060C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:48.713{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52751-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000191138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:49.089{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58FFE1B415D02353255FEC92634B79D1,SHA256=A0327875CCB6CBEF96B45B830A12EB8960A0D71EB969560718EA4AAFF846BD08,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000136188Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:47.718{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal51031-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000136187Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:49.314{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=673C99B3D4472DE9CEFF39A1D4EC8BC9,SHA256=85217E0521410D665D5EB4CB8B8D57DAB5E357FD36C57F7CECB51304C9A0D4CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136186Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:49.096{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95BFBAC5024475F36AE6B868904EA94C,SHA256=0D60FF222822A2E6CF12012928BF008D34320805FA3B3D9508B964DDFD1BF4F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:50.371{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CB82-6218-0704-000000003702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:50.371{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:50.371{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:50.371{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:50.371{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:50.371{414E8EDF-B0AE-6218-0500-000000003702}416372C:\Windows\system32\csrss.exe{414E8EDF-CB82-6218-0704-000000003702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:50.371{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CB82-6218-0704-000000003702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:50.371{414E8EDF-CB82-6218-0704-000000003702}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000191140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:50.105{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=111B6798D79F4596AF1BD0A654E3D613,SHA256=E25A2B2AA02031A7269DE75CF48AB90E35EE45DED159FC1364B425EF15831643,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136189Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:50.111{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=931CE3B22A56B37F91232E0ECB5BB798,SHA256=04D9BE97F8B273256E4B1A89D3FE5672A8317CC52A07F523A2D1F60967ABF3F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:51.746{414E8EDF-CB83-6218-0904-000000003702}11282116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:51.558{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CB83-6218-0904-000000003702}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:51.558{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:51.558{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:51.558{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:51.558{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:51.558{414E8EDF-B0AE-6218-0500-000000003702}416532C:\Windows\system32\csrss.exe{414E8EDF-CB83-6218-0904-000000003702}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:51.558{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CB83-6218-0904-000000003702}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:51.559{414E8EDF-CB83-6218-0904-000000003702}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000191159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:51.386{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=002D742A03E6ABA90E203AFAAA16EECF,SHA256=7EBE8092DAFA187B8AA9FB51B27424759CE20A7B8D53E858CAD0BA5079D35193,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:51.386{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E05C03C140B1CE104FC2C000FF48373,SHA256=41F0EB7BCA617DD7FC7D05B4FD0DC5FAF440A748222AF73DDBB9422A94787FE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:51.167{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9BDAC11F2E9D3F0E5F374D65BEF9ED6,SHA256=B51FADB1043A8C29F54C55D51CE5539D9A5273053F29F88F4EAA9F79E9A3BE1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136190Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:51.127{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A9E811E4A9ACC5375BFFDC65B9403CA,SHA256=4E6F0945303FB0AA6ABEB64DBC7850077297D997C1C61043E3469EF81A12DD4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:51.042{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CB83-6218-0804-000000003702}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:51.042{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:51.042{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:51.042{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:51.042{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:51.042{414E8EDF-B0AE-6218-0500-000000003702}416532C:\Windows\system32\csrss.exe{414E8EDF-CB83-6218-0804-000000003702}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:51.042{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CB83-6218-0804-000000003702}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:51.043{414E8EDF-CB83-6218-0804-000000003702}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000136191Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:52.252{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E058A24A6DC916CCDE96BF962FCE62EF,SHA256=E24C21690D7708AFCEE6C5FB4A22166ABACEDD1356F1A068B873BFE8F6BA4140,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:52.902{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CB84-6218-0B04-000000003702}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:52.902{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:52.902{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:52.902{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:52.902{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:52.902{414E8EDF-B0AE-6218-0500-000000003702}416432C:\Windows\system32\csrss.exe{414E8EDF-CB84-6218-0B04-000000003702}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:52.902{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CB84-6218-0B04-000000003702}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:52.903{414E8EDF-CB84-6218-0B04-000000003702}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000191179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:52.558{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=002D742A03E6ABA90E203AFAAA16EECF,SHA256=7EBE8092DAFA187B8AA9FB51B27424759CE20A7B8D53E858CAD0BA5079D35193,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:52.402{414E8EDF-CB84-6218-0A04-000000003702}2925588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:52.230{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CB84-6218-0A04-000000003702}292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:52.230{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:52.230{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:52.230{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:52.230{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:52.230{414E8EDF-B0AE-6218-0500-000000003702}416372C:\Windows\system32\csrss.exe{414E8EDF-CB84-6218-0A04-000000003702}292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:52.230{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CB84-6218-0A04-000000003702}292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:52.231{414E8EDF-CB84-6218-0A04-000000003702}292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000191169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:52.199{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD37F67242004BF76DF8F8CE7F8DE45E,SHA256=6394648A1DC0AF7C226EA84D07583C9649F5A066D8729721E5EC00855E64F156,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136192Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:53.299{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74CF226C9F668323FB057F4D4D72FDB8,SHA256=CA9265B1EB5323B0DDE6F2602D13E2199E84882B76D224C07014361555D96C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:53.949{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBA92FA67AC8A39D37304B908BAB7CCD,SHA256=532A9771F50267F037A5B5383CA91807F0AD488112ECBAA949450ACD66DD0A9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:52.918{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local52752-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local389ldap 354300x8000000000000000191199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:52.916{414E8EDF-B0BE-6218-2B00-000000003702}2820C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local52752-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local389ldap 10341000x8000000000000000191198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:53.558{414E8EDF-CB85-6218-0C04-000000003702}13043196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:53.402{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CB85-6218-0C04-000000003702}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:53.402{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:53.402{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:53.402{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:53.402{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:53.402{414E8EDF-B0AE-6218-0500-000000003702}416432C:\Windows\system32\csrss.exe{414E8EDF-CB85-6218-0C04-000000003702}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:53.402{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CB85-6218-0C04-000000003702}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:53.403{414E8EDF-CB85-6218-0C04-000000003702}1304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000191189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:53.214{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=120C80D05DEB0C853BD0123F7A000B33,SHA256=E3FFC43C7D4DABFF7D110DE3ABD01F236E08BE6D6DEDA7D21C46586976378FA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:53.121{414E8EDF-CB84-6218-0B04-000000003702}46281628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000136193Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:54.361{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=076A664828CABF47E5EB6E9632EA7A4F,SHA256=5BDF21A3FE71EECF6C29CC07A6CD9B3B7CD2A51621D6A78136D6E4C85380ED6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:54.230{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F38614B861E62F067135EC1D88326798,SHA256=17EAF39465175DB49B6E4B141C5B18F2CC68655848AA1E5A0236151BEEA58B5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:54.650{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52753-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000191203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:55.230{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=976B60E675F25D7DAAFD8BC4F6D4A648,SHA256=6F08B985BD4C7D449DD08D83179335B3DCD173407F052B57D7CF8BED27A8464B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000136195Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:53.718{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal51032-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000136194Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:55.424{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B6102898BFEA52A3512BAA4EDE6C52A,SHA256=3F45EF2F98FB79294BB806A253CD305216E28DDCF0F20C49174382FB74745532,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:56.527{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-CB88-6218-0D04-000000003702}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:56.527{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:56.527{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:56.527{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:56.527{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:56.527{414E8EDF-B0AE-6218-0500-000000003702}4165324C:\Windows\system32\csrss.exe{414E8EDF-CB88-6218-0D04-000000003702}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:56.527{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-CB88-6218-0D04-000000003702}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:56.528{414E8EDF-CB88-6218-0D04-000000003702}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000191205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:56.246{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92C49104125222543657A17E76F4550E,SHA256=39D4BC986C2981C6BFA73E7AAC1611F68AD96D1D655E7B0E95F752B1C0F7DC11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136196Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:56.455{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C136FC428A3B3D9D2A6D924062B4FD81,SHA256=EA2BA4D2AB518E702C3E36227F96767C5FECE434739327AC05EF276C9E504D58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136197Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:57.486{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D10C372C1843D08AADC5329C9CE1018,SHA256=E7BA801D8884CC376C9964D1CB0E33B488C62502ED73299E5D869186AE9C103A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:57.542{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C2A59C9D860836198C9A53524C04064,SHA256=533199857965664F98F376E3016306E2020A43E04B3B7E81532DE89E6E171675,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:57.261{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2FF8E2BF8A85DCE92897FF963E30C78,SHA256=B9C5760E1198C7BE457DC0769A397C993CAE1FB75F82425F7D1F4CB476DCCD02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136198Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:58.564{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6FA91085709507F803513280F677EF0,SHA256=12A4A7B870FCA6FE7AD953430ACC272154A56907C0EE1A3E09DA226CBDFE0850,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:58.261{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=182E3591750C2A8255C5D3FA558F8BEC,SHA256=95B03B476C1132C48086C2540167C2E4A594174C800AAC0893F17792B9605AD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136199Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:59.580{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16A4A2560DDCEC8761131ED3C570BC25,SHA256=309AB4982B3FD6D7C81CBDCFE1DA6559B60FCAA8BFCCCF2530BF7A4AA30AD467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:28:59.262{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FA1A48666F1FA4BBB42D05E715BE32D,SHA256=3F18C670DA43495FC328BA03A97B14545F56678DB5AB225957EC3B151DCE1CEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:29:00.277{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD367D86A20F38284A42C9C831BD0FBF,SHA256=B92B21F49EC5039E7DDD8C51660C06A2D0C920A2B316779F2BCD3D5426592108,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136200Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:29:00.611{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAAA98C3ED21C49A343F2068A258CA56,SHA256=DE0B3FFBC14975D65047E82633625991780376A5A16845AE5E04328DD90FFA16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136201Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:29:01.642{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5660188955CBAC49725DD6C922BB45BB,SHA256=5E34576456682E162496559B65BB4304430A11E5FB4F93BB9D9AED1F0D98F9CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:29:01.277{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6731B3052CBE17500ED319E2C0BDB94C,SHA256=B8F89546C9A5340E95B80D80B876685622223ADE0F34BBA60E6048D1FBA1B518,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136203Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:29:02.674{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D1E9B037B2A1D12428DD3C34F7E4519,SHA256=43B127A72581311D9DF5BF0C4205CDFCD41DA74DB8033DA94585B2D62D3E5428,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:29:02.293{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21C283461DFA37BEF8FB7A8CFB6E0B5E,SHA256=337D4D12CE288614E25882EDF81EB7EBB0B417933A339313D4B5AA78C2BF6B44,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000136202Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:28:59.667{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal51033-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000191220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:29:00.541{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52754-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000136204Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:29:03.689{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6593DA72CA855D7E4B85F4CE0B03032D,SHA256=C390F9042311199E7ECAD7F9856048E2387981EDE7953CCAB898E0E456C0B1B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:29:03.355{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A05D103C7436043D24E468BBEF01F5D,SHA256=A824D37789B1C24C1C262B7423D56D0C239E40BAD3ED629412A17392D76C1CF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136205Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:29:04.705{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB5808289015AB7899FFC42349CDAB1F,SHA256=2BA2C3B6EE1FF04C9E70621628C26D71C833A5F2D3C1B65E9C71A64CDA7A5378,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:29:04.371{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B67B3C3203510D4C7ABC487799BA314,SHA256=D2833C9DB17E816B108F0583F301947A23FB05A486CDC6FB38BF4F018954E6F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:29:05.386{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F5986611B846D6EC3EB35DEA4689B8C,SHA256=A2BE9C08F6ED7C15EE3E05B4DC918F16C950859F408751CF7CCBDA90940F04D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136206Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:29:05.720{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11F198E57AC498EE8E4B98CEB55D9D16,SHA256=7B1138E777A883245B88E2A4EBC87A2D4E2330462B1704474E388C47955BFDFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136207Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:29:06.752{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA455913D311EBF76D55B4F9D22C5FCA,SHA256=B83BAF699E54B95A67C5AFDFADDA8E17827F5FF417D4F3A1B393142B23C4F5FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:29:06.386{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBD0682D43A46C214BFB3A03402CBFE7,SHA256=240B4C1C8FD069FA5E93E3F95A4F599B6FDEFFF0A13989544F1E8E1EB399BD9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136209Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:29:07.767{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8F25065927D6703FE54C07D00AFCB05,SHA256=2AC12AB272A111594195BA18DDD1C10F619329A16D8D42BD35A055094425F253,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:29:07.402{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9006AD664D3C35043D771800690DC248,SHA256=FC318FFF5DC056BFCB93681D6F0E05CBBCB52C762C24B21F9A31D06A46BACBF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000136208Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:29:05.578{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal51034-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000191226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:29:05.713{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52755-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000136210Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:29:08.799{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E417A770F0AD1F62C0DDD8CDC64BF9D1,SHA256=1F8C8119079B79108B97A30A7D96DD6BAD9AE782FF3233E93C0221B6F2FB4115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:29:08.418{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23FA5EDCCE5D3ED5222911782FFE39A4,SHA256=4F9CC198B968206AE78D49CE96198682557B1E71C27BAFCBFC714D3B7211991E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:29:09.433{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA24B69A2530B62E92BF162F4E7258F9,SHA256=C91DB5A1D03F0B481322B7332EF935A69E2CC9700DBE5426265BC4E476E3ECBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136211Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:29:09.845{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0F47300D7183137D223333EA77E6D0F,SHA256=D4A8E03854CADD3B9DBA48443AAD2B1024D2F403442DAB3D65BDC7271A859720,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136212Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:29:10.845{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15EF7FE49CA35966181835249DBE7F5A,SHA256=E0CE752DE29C5F00EC7F5B101C8151C0604C5EBEE9F2AC9D3E018F85469F0A0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:29:10.433{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=895D0A25742E470A05142A45B03E4129,SHA256=E4F2804ABA3CB78F324461372868EC7DCF4119FDEAFE03204A14E906F59CD1E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136213Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:29:11.877{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=733F68D497B126FBF386E4AD28BC1B94,SHA256=36DA286EE5DBF015E55D4177A0BE99EE8E08F9651EF47F4B955E3DDBF450B49A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:29:11.464{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=918CAD13BB5C81B804B88DA026C379CC,SHA256=274BBD08BC5B8041D029A17CA0E63B8D9A4425402CCAB63DCD80E0A6EF3BA569,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136214Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:29:12.877{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3918033E78107E43D55CCD31B71F823C,SHA256=C1D8483ADE3A91953AF57771895A0616DE8DEA8105D6ED778A2A2E8105E8999F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:29:12.464{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB5454D15198C7F829BD695A36300847,SHA256=6A4394D535AEE551EA6DFB721850B8EEE2B0858F55C5FD7F6CE7628F3B7FB521,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:29:13.496{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7F429471FC34618ED694CEF51815455,SHA256=7CB7E43BE134F3D34B901F710F7299122008C1ECE3ADDA32A089A148F277D929,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136216Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:29:13.892{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=453F0BA6306C2CD9D9F613901DF1B482,SHA256=4CF3D8A859D07A846E791EF10CF85CF6566D4D424A363CCAE491256CE347D4B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000136215Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:29:11.578{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal51035-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000191233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:29:11.697{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52756-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000136217Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:29:14.892{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28C5752146BC51ACE349B771F9797DC9,SHA256=47B06A3EEB415A49FC6DADC0B6055F12A98D62B7663CD4FEB0B066F4333AB686,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:29:14.511{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8989CCD0C43E22A7A4C8CCFB541CB3D1,SHA256=6195F3D773CDE853734C7BB4083E6870F7C54445D6D172B40BCB25030E5F56EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136218Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:29:15.955{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC3617E5D7CB0EC5A4D67E60A1E15DBA,SHA256=17B368503F4EC5ACB171EAD66E0F7DC9773E5A145E790803F965E79F9E1E1368,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:29:15.527{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5357A0D574BDBBAAC9472F8379D9350D,SHA256=8188DADC0E608C625C98F93FE86F3EFE4A61DF1F89B2AF308A012675EE2F2DC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136219Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:29:16.970{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC2378A0748AD4361E8089F6181585CA,SHA256=31AA2F6CCA48D773F39DF64883A69155BC13A27E68EB32DCF54A48A1AD5E4F40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:29:16.528{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1441C48B57B117422107ABFE39E781A4,SHA256=223CE381BCB70C7EC4EB048CA550E10360681F4224C9B58B6AEE2CD1F2B89B0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136220Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:29:17.986{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAAB980C8A5B015E8AF6FE629DD418DC,SHA256=360CB2EF707ED18D23C1B83B6453F2B9C361C9B824690450A944861FB9295C10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:29:17.543{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBA451A9CB3AF1C37C66939ED41DBF6E,SHA256=83BAB107AB1DA19E9369E7841296C81DD0F747F6F0D39C028AEAF263CCF98306,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:29:18.558{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BF835EC412EADB878E3C85A81BE380A,SHA256=06FD9FC355A909D5C71ECFB36BA75B0A2BBA55096D1AB40477F8F5C590851079,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:29:17.540{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52757-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000191241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:29:19.574{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22EE62B77C01A7246DF4598AFFFD894B,SHA256=FB1497916B4E5F6E6481DEDF7CB3557E928DB41C76BB26D092A29F70AEC1CBBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136223Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:29:19.772{6AAC6DF5-B0B2-6218-1D00-000000003802}1952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d7ccee276d30a4b6\channels\health\respondent-20220225103429-111MD5=FBD42F5F8AA0DC0DD6067820063FF10B,SHA256=AAA41009555F09EFB0ED817562D7125DD50A33AE671816E82835424EE5CAE232,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000136222Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:29:16.718{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal51036-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000136221Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:29:19.033{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B66A9DF632EFE99394F1BC558D3CC56,SHA256=583FBAE1A7D0E8C09622541B44C53B69DB44BB7B2E839DCDBCE5ECEF9E47B710,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:29:20.668{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84B80746A5069BFF3B4BDC761DE9D43F,SHA256=17A1FB598D1BA08ED27B4C3ECF144B53FABB45AF4607AA0695AD44CD7AB5012B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136225Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:29:20.786{6AAC6DF5-B0B2-6218-1D00-000000003802}1952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d7ccee276d30a4b6\channels\health\surveyor-20220225103427-112MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136224Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:29:20.035{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=124099375614FB3FD76038FEA45880F2,SHA256=CE71FCCC337C96A87F773D24BC8C1E08A0F255EFAE85C297020338591DAB66A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:29:21.715{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D998C7B5A4F134C2085128CBDC048AA3,SHA256=DC38062FAA6F6B0A5CE6D27D73038C93BC4CEC020F596398BE578FF9004F9C9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136226Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:29:21.143{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDB0E46200115A1D2B2F615238C0E6C1,SHA256=EA84D7995E4F142D1282B9D12EA7ABFF02CB73702433148654543D74BE48347E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000191243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:29:21.324{414E8EDF-B0B1-6218-1200-000000003702}500C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d82a43-0x50be2e67) 23542300x8000000000000000191245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:29:22.715{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33D5D7F69580ACBD5A52B5403E36ED06,SHA256=253748A5285F58A4DF57DC279E6839E1543E2BD59368A3D8C3392667EDB580B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136227Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:29:22.145{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5FB7FBD133CB2474D956BAD9B8F9520,SHA256=210B8E9CCA8881D24A4A021781A66CCCAD340090566579826B25F11CABA59003,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:29:23.730{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A51361DCE5F51E4807D4A9496CBC6B8,SHA256=1EECFED3271EE668F1DAEED3D43324A743BA994EC2C80D714801CC1EE24C1969,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136228Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:29:23.192{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDD1E25894DF0F5FCE7BE02498D4CFF9,SHA256=BB850D46F1D78E3AA3B745410A1533D4FE42F8F8A6A841FFF7074630DD2C996A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:29:22.540{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52758-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000191248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:29:24.746{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9F43EA9C92D5AA61C7EACBDADC94F77,SHA256=46E27B9A68E1B8D92917D0614CF63D1BC5C4838657EA7BE1F019A8481C7130E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000136230Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:29:22.534{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal51037-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000136229Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:29:24.223{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=524683E32151B24F346F56A2598D09BB,SHA256=D698A14F71DCBD8A78FD4A97B6EBA123DE554A9835143E1AB91085B478976245,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000136231Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:29:25.239{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B5BF532E2C5B3E5E8D43FE46DB8642A,SHA256=7687F1D5040CA379A14BAB81B6C8D5095681BFEB9A9785656F2852F686D61C0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:29:25.543{414E8EDF-B0B1-6218-1100-000000003702}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=AE1668E21F660CB0A818707B1005232F,SHA256=3299476BAE62B2FA155F3112C5E25BC87E538F5FF33D4496F881124AB90864A3,IMPHASH=00000000000000000000000000000000falsetrue