23542300x8000000000000000189324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:27.705{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=251163A4FFA9220A04968FF7AA9CAA35,SHA256=66D39EF7E61C0CD0F2712575E3C213010481C30FD8DBBB5BF2D3370EBC69A6F8,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000134458Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-SetValue2022-02-25 12:19:27.444{6AAC6DF5-B0B1-6218-1400-000000003802}1084C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d82a41-0xeec35236) 354300x8000000000000000134457Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:24.687{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50923-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134456Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:27.194{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D17EDF73B9D607DB31DFB355DD969D19,SHA256=EBD5731D434211F497406EB380414AD392C6B9E70539A366D2F9254F4A35C824,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000189323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:19:27.111{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000189322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:19:27.111{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006049c7) 13241300x8000000000000000189321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:19:27.111{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d82a39-0x8c5a303c) 13241300x8000000000000000189320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:19:27.111{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d82a41-0xee1e983c) 13241300x8000000000000000189319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:19:27.111{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d82a4a-0x4fe3003c) 13241300x8000000000000000189318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:19:27.111{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000189317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:19:27.111{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006049c7) 13241300x8000000000000000189316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:19:27.111{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d82a39-0x8c5a303c) 13241300x8000000000000000189315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:19:27.111{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d82a41-0xee1e983c) 13241300x8000000000000000189314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:19:27.111{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d82a4a-0x4fe3003c) 23542300x8000000000000000189326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:28.939{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9577671C5C141EEA4BF4FE55049342F3,SHA256=AFE2DDF000B5C2A50B4831E13EFAED1E9C70185214A6D65EAFB61E317740E1CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:27.570{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52618-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134459Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:28.194{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA2AA3FD2EF57A664039189CC8D9C29E,SHA256=C84C12E1DA9444D55DE2DFE18FC8F0C79254B4FB2AFE62532420F8C96C4FE9EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134461Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:26.936{6AAC6DF5-B0B1-6218-1400-000000003802}1084C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal123ntpfalse169.254.169.123-123ntp 23542300x8000000000000000134460Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:29.241{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1617E3BCC58B4920037FB1BDA08E79AD,SHA256=BEC22F8D45C18A51B99240994612DFE0B054D621AFB5D393BDAF556FE128A3C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:30.142{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D37D1E217072A331A34A7F51AC7823B5,SHA256=55BE98F43E9560B38D834A11BA46DE168B9D9493F09D5672ECD102FA8C13DF18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134463Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:30.258{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85C99397FA8AEE14609A10FA2FFE3DB6,SHA256=BE10681F2B6A19C1CAB73D2060F85E2E239992A246BBB0773EC079304A7DEFC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134462Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:30.101{6AAC6DF5-B0B2-6218-2200-000000003802}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4A396A40DE4AD844AFDFD6BFEE34209D,SHA256=ABC582D2644B8C5C1CF17206963A01B55D9A40BBB1979B03D8F2D216AA803ABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:31.251{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=947A99AABABD51DF79CA70E31BEE689F,SHA256=DA4781704D26D589833228C8B6758EA1A140F980CC58649EFF668DF9A086A33E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134465Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:29.594{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50924-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000134464Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:31.274{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F870AE2169F9A800EAC39569885C46F,SHA256=919F11AFCAA7F9C68AC22BB7DB0AE9F4668BC4FFD932079CE70E6934429D8DF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:32.267{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F4DEB056521010B3BDE8D1DD82DD873,SHA256=9ADBC4FBC505A829889F19686F9ED77BEFA56DAE5FB30E9887C2EB7CEA95980E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134467Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:30.595{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50925-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134466Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:32.289{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5C86BA6672C0543AE64629B3E19462D,SHA256=AE0349CDD9B2CD0EAB0BF88F3026F7C4A798F6308601589326127EAF9CC68191,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:33.423{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E196B3D9A5BD4F24ADC24BB78A6EB594,SHA256=74D11C73D3C4CB320D9787588A3A38D5560D9DCC95844318B80E0DF6DADC97F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134468Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:33.368{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9887E664CF1CBD4E3B44B29B3992BA5,SHA256=368B55AA70D71790464BA728A2FEF040C12676E6D6ED6701EB2AEF02A85A4490,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:32.601{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52619-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000189331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:34.455{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E029848D9007F1355F8FF752E009785C,SHA256=DF843FB36005108D0B7200042E362AF6D0EF752F6F75B62B3B10640D8A1CE2E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134469Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:34.383{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F085BD8C2CE4BB72E50258ED1CB0154,SHA256=0DA7603F16C0E445B8BC5BF412AF92DA00E244E342D5F81F8DE7173361689F40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:35.470{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99A728160A01C944DB70F80713DCDCB5,SHA256=10C049D2CD17D8FC79A5526266BC782C37EB79E46311AD6967445181BE9EEE59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134470Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:35.399{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25B12A801C259E6B04FE1D89C9610DFF,SHA256=E95712DC7A44E51AA19706B4A085C1D2665E07683C34A1A88069DB0BA5950F41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:36.627{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5904AAFFEC00925EAEC8AE429D44882,SHA256=42B9E5C1ACE2E937B950521E2FABC4D1883AA2934209B1832F0262130C280F34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134471Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:36.415{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C281523379213B47C469E7D90025BD43,SHA256=E5AED7AC30942B8EF7078E59F5D3CFB707024061BD6CC764916A8FD41DD3A351,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:37.658{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBEC16D940FED7BF136C5EA665C130E8,SHA256=CB14B8715FF8CD79DC791C7EAAEE5CD1C6E1DB1480AE6B344B94CFD3A3DFDFDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134472Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:37.430{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F078773A5DB9AAE68D6676C0F0DDCE43,SHA256=5B5CE2DB273992BB5F650E7D91F20CE71E960F5AB8386C57953C8802F729B9E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:38.752{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E3273E45CB837251D5175F3302D2305,SHA256=2C3AC80291F1D329A60B5A5C0F87C4797DA46C1407669A7931658DD639DB84A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134474Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:36.610{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50926-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134473Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:38.446{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97AB75FCA91051BC584FD1435A0CE3E6,SHA256=74CDA516D50A0334813888EDA10176B6280C7AFCC7B39A22AED61DD93BD98A4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:38.470{414E8EDF-B0BE-6218-2900-000000003702}2792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4A396A40DE4AD844AFDFD6BFEE34209D,SHA256=ABC582D2644B8C5C1CF17206963A01B55D9A40BBB1979B03D8F2D216AA803ABE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:38.555{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52620-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000189338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:39.830{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B8FC16BAE895DC05D3171C2D3811E74,SHA256=D43A8ED477F29DAF76B49545D1E655637A5432CEF2CAAE94F5522D887497A559,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134475Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:39.461{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E90BFA307B6B48E4ABB907F920BBF4A,SHA256=16648D4781FB57F7CD3613E0A82160E713E402F297FE387602239D51DE8046B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:38.961{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52621-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000189340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:40.845{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC5B1C6CB58A055932650B2695B66B07,SHA256=179CB8C184B4F8DBF3612418622844456C21BAAC5477AA52DAD6CFC9E1CA3AB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000134489Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:40.665{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-C95C-6218-7403-000000003802}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134488Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:40.665{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134487Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:40.665{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134486Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:40.665{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134485Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:40.665{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134484Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:40.665{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134483Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:40.665{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134482Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:40.665{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134481Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:40.665{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134480Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:40.665{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134479Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:40.665{6AAC6DF5-B0AF-6218-0500-000000003802}424440C:\Windows\system32\csrss.exe{6AAC6DF5-C95C-6218-7403-000000003802}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000134478Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:40.665{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-C95C-6218-7403-000000003802}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000134477Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:40.665{6AAC6DF5-C95C-6218-7403-000000003802}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000134476Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:40.477{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC940913A0812DA305F54374ECD46A56,SHA256=0681EC70897227815F8ECDDF742EE5D90D75086B90576B57A8EA923BA8D9A00C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000134519Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.962{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-C95D-6218-7603-000000003802}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134518Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.962{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134517Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.962{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134516Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.962{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134515Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.962{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134514Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.962{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134513Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.962{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000134512Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.962{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7EFB964812328CAD23502CECFA0A2B78,SHA256=BCD64946F7B15C3357E885715734820B494C7DA08CCC74348335E4907DBF3041,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000134511Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.962{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134510Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.962{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134509Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.962{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134508Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.962{6AAC6DF5-B0AF-6218-0500-000000003802}424440C:\Windows\system32\csrss.exe{6AAC6DF5-C95D-6218-7603-000000003802}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000134507Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.962{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-C95D-6218-7603-000000003802}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000134506Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.964{6AAC6DF5-C95D-6218-7603-000000003802}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000134505Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.962{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7576B15BECB23F8D17CD700D87810FA0,SHA256=9032C787204E4765EF59E99BC5B46B2C222D775EC7F5750EF83D9B951CE33B2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134504Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.962{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCA4185D12A60BEE5AF0D5CDA152C096,SHA256=BB5DDF5DA6BCC663FC0E676129D084907BB3621E5207F1D58013DBDEC9F2B223,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000134503Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.493{6AAC6DF5-C95D-6218-7503-000000003802}27363360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134502Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.337{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-C95D-6218-7503-000000003802}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134501Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.337{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134500Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.337{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134499Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.337{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134498Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.337{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134497Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.337{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134496Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.337{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134495Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.337{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134494Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.337{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134493Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.337{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134492Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.337{6AAC6DF5-B0AF-6218-0500-000000003802}424440C:\Windows\system32\csrss.exe{6AAC6DF5-C95D-6218-7503-000000003802}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000134491Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.337{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-C95D-6218-7503-000000003802}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000134490Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.337{6AAC6DF5-C95D-6218-7503-000000003802}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000189342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:42.066{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B4DE742A29F26B85EDB1BC414D0AE59,SHA256=89A1D0A7CE94809D6B4CF1816DC8A1CA41749A0FF0F1911B61878506BD5A64FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134521Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:42.993{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7EFB964812328CAD23502CECFA0A2B78,SHA256=BCD64946F7B15C3357E885715734820B494C7DA08CCC74348335E4907DBF3041,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134520Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:42.508{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABBE2D9439B549206F5CC9024E216C0C,SHA256=9F45C20DAC908E25253A7D8F20023C656C0998149707EA4FF81F826D3735DE92,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134523Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:41.658{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50927-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134522Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:43.508{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F4BD6590DA6FEFD05B8157B8037B61A,SHA256=2005AE949259D112AD3B81250C7CAFB623E23E48DA05FBBBD42715DBD218DAA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:43.097{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02362AED39BD94714F749784DD484BD6,SHA256=A91A9371DC4E6ADEEDC45A9578FDBD454CEB1AE4CE4B614AF6A45504765BEF05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000134538Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:44.852{6AAC6DF5-C960-6218-7703-000000003802}32003140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134537Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:44.712{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-C960-6218-7703-000000003802}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134536Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:44.712{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134535Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:44.712{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134534Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:44.712{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134533Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:44.712{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134532Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:44.712{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134531Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:44.712{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134530Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:44.712{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134529Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:44.712{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134528Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:44.712{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134527Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:44.712{6AAC6DF5-B0AF-6218-0500-000000003802}424440C:\Windows\system32\csrss.exe{6AAC6DF5-C960-6218-7703-000000003802}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000134526Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:44.712{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-C960-6218-7703-000000003802}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000134525Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:44.713{6AAC6DF5-C960-6218-7703-000000003802}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000134524Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:44.524{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C1B04100A50363929818973A2555D4F,SHA256=F3196392EA69B879954BDD5D3233BF2A3114532A240FACF32D33E7EB752B535C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:44.112{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9C39C6AABD2CEF25804CEFC3C487E7F,SHA256=140D919DB66A6814B43348B6A921DD9B28192693F80EC92CF4E1E905C2D3A89E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134554Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:45.852{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC7266E643CA06B22A6A607B5DAF6128,SHA256=3D0D7C6324324417B7AF625D79902BBC67138255ADF02D70E8B3977A59D1320B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134553Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:45.852{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=559F5AF9AD037E5311741746F842FA98,SHA256=AC3CA2BB5EE6B269688C30AB9B10048F547A6D30C98F2556290D08EAD5B8B22D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000134552Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:45.540{6AAC6DF5-C961-6218-7803-000000003802}32923372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000189346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:45.222{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D346ACE7A261A9F10A9EC2AC524893E,SHA256=32AA38479099437FB71204C93B680437C9EFEE4920370755CF0681D8623138D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000134551Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:45.384{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-C961-6218-7803-000000003802}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134550Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:45.384{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134549Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:45.384{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134548Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:45.384{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134547Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:45.384{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134546Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:45.384{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134545Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:45.384{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134544Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:45.384{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134543Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:45.384{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134542Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:45.384{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134541Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:45.384{6AAC6DF5-B0AF-6218-0500-000000003802}424440C:\Windows\system32\csrss.exe{6AAC6DF5-C961-6218-7803-000000003802}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000134540Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:45.384{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-C961-6218-7803-000000003802}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000134539Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:45.384{6AAC6DF5-C961-6218-7803-000000003802}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000189345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:43.728{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52622-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000189395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.487{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF7128822648F0279EE71ECCE655D4E,SHA256=611DBD291291A9BE91F60826E68E87AB8B5A9A4561A718453FEB291CE4753B3B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000134568Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:46.884{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-C962-6218-7903-000000003802}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134567Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:46.884{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134566Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:46.884{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134565Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:46.884{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134564Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:46.884{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134563Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:46.884{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134562Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:46.884{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134561Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:46.884{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134560Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:46.884{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134559Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:46.884{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134558Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:46.884{6AAC6DF5-B0AF-6218-0500-000000003802}424540C:\Windows\system32\csrss.exe{6AAC6DF5-C962-6218-7903-000000003802}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000134557Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:46.884{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-C962-6218-7903-000000003802}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000134556Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:46.884{6AAC6DF5-C962-6218-7903-000000003802}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000134555Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:46.555{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CCB06696009E4CF5101B142C612B3FD,SHA256=3E5A5087A45B4A980087C12CE484DF913C6DB86880498115BCD94507A3C4870B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8900-000000003702}4020C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8A00-000000003702}4764C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8A00-000000003702}4764C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DD-6218-8A00-000000003702}4764C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2700-000000003702}2764C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2700-000000003702}2764C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:46.050{414E8EDF-B0B0-6218-0D00-000000003702}900920C:\Windows\system32\svchost.exe{414E8EDF-B0DB-6218-8600-000000003702}4956C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000189396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:47.550{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2607D15376938736ADA4565DED51C9E5,SHA256=7356DC79CE9D2767649FAE06334774501695266653ABA3D4A48B77C6A5A0F4AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134571Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:47.899{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7DB62E7BABB33BD7D383CA2F6C2588C,SHA256=5B810D72918897C965C89CBAD864CC37686BD46FF112005AE7F9D926D5986094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134570Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:47.571{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38B2D9E24C1D8A21FB00E40C2504B601,SHA256=97E7486D801CE88084037A36DC9D3AB707D5DA823916AD3BFD68DC2ADF7ABDA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000134569Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:47.040{6AAC6DF5-C962-6218-7903-000000003802}30523236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000189397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:48.581{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0563EAB4F71C5A823C01C941C2EFF9B7,SHA256=CF42887B1CDD43DCEF9624C150371828BF5E806B77239B3825EF9A7056A2EEAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134585Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:48.587{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C623D5B4ED5742FF7C6A41E52A25583,SHA256=EF7D54964E096A410CA5D34230FEE8F4E40D661187A571E8F51E86EA2C1E8384,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000134584Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:48.290{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-C964-6218-7A03-000000003802}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134583Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:48.290{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134582Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:48.290{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134581Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:48.290{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134580Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:48.290{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134579Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:48.290{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134578Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:48.290{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134577Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:48.290{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134576Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:48.290{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134575Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:48.290{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134574Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:48.290{6AAC6DF5-B0AF-6218-0500-000000003802}4241012C:\Windows\system32\csrss.exe{6AAC6DF5-C964-6218-7A03-000000003802}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000134573Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:48.290{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-C964-6218-7A03-000000003802}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000134572Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:48.291{6AAC6DF5-C964-6218-7A03-000000003802}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000189398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:49.612{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A261131C3DDD2BD1A6D04CB418E1CAF8,SHA256=2783C04DECB5A31908ED8188873765057992610CAF46946F6DCF55E90F67F0B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134588Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:47.563{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50928-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134587Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:49.594{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D72DD7C8A468768E6437FD78EC503465,SHA256=DE9DB89B38DED939F17ADE8C0296E3B6D3C75006B6E4EC1C8A855F65B1FE167D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134586Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:49.321{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C727CB870568E9099618EC59F7A40C9A,SHA256=68B4AA5351812C9A40F5A74281D84085A57C368A38377EF015D58A4A814EBC87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:50.815{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-C966-6218-C403-000000003702}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:50.815{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:50.815{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:50.815{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:50.815{414E8EDF-B0AE-6218-0500-000000003702}4165324C:\Windows\system32\csrss.exe{414E8EDF-C966-6218-C403-000000003702}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000189410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:50.815{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:50.815{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-C966-6218-C403-000000003702}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000189408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:50.816{414E8EDF-C966-6218-C403-000000003702}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000189407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:50.800{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85BDA19F9B044B7D572460FE1C9F0B2A,SHA256=1EE88A55571DC208B60C3F7AB5FFF2B41EA8AB1BACA971900B66089E0C0F928F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134589Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:50.602{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2141094B082A4C212F9D080FEE34867,SHA256=368BA97E5B7C9A075165A1E2209D1D5252D036EA3FF5E9048AD9CFB3D37E373F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:50.315{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-C966-6218-C303-000000003702}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:50.315{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:50.315{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:50.315{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:50.315{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:50.315{414E8EDF-B0AE-6218-0500-000000003702}4165324C:\Windows\system32\csrss.exe{414E8EDF-C966-6218-C303-000000003702}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000189400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:50.315{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-C966-6218-C303-000000003702}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000189399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:50.316{414E8EDF-C966-6218-C303-000000003702}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000189436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:51.894{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C04FE3409507522B277E9EB2AA95D1C,SHA256=32D691A1BB67CB0CB700B65451E06647B4908191D424F0ED1253B659C215A487,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:51.894{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-C967-6218-C603-000000003702}360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:51.894{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:51.894{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:51.894{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:51.894{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:51.894{414E8EDF-B0AE-6218-0500-000000003702}416532C:\Windows\system32\csrss.exe{414E8EDF-C967-6218-C603-000000003702}360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000189429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:51.894{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-C967-6218-C603-000000003702}360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000189428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:51.895{414E8EDF-C967-6218-C603-000000003702}360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000134590Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:51.618{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92F04850FFA4D5CE83CC55D223399D5A,SHA256=E6BB206F479C371CA5188A4AB34A996DDB5659C5653C10FAA6A31807CE7C704F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:51.628{414E8EDF-C967-6218-C503-000000003702}47443336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:51.394{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-C967-6218-C503-000000003702}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:51.394{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:51.394{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:51.394{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:51.394{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:51.394{414E8EDF-B0AE-6218-0500-000000003702}416372C:\Windows\system32\csrss.exe{414E8EDF-C967-6218-C503-000000003702}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000189420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:51.394{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-C967-6218-C503-000000003702}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000189419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:51.395{414E8EDF-C967-6218-C503-000000003702}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000189418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:51.362{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64B24BFA95201EEDE99FFD3E0C2C3A31,SHA256=2DFA0EE258AAE4017B9D5EC51EE63C31243B5CC3438415AD14FAECC01F19198C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:51.362{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0562F8A4D44AFCF06E2FA694780D2EC8,SHA256=048A2F1E2301464879CFFAE2BE96182184C39B14F5A31C1FF4D6D84F959A90EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:49.665{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52623-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000189439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:52.940{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6984D4B2A4C7EC77934738D148072ED,SHA256=D04A5B05D95B805E79A877E5DF8BF7304CAB085EE8A2323EACADE4F6BAA5D43F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134591Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:52.618{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01F08A890BA240DA42CEEE0118032876,SHA256=835A94573AE0B17820E1BA50B32ACFAE07BC53FF9A72EA949F4813D521B93EE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:52.425{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64B24BFA95201EEDE99FFD3E0C2C3A31,SHA256=2DFA0EE258AAE4017B9D5EC51EE63C31243B5CC3438415AD14FAECC01F19198C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:52.159{414E8EDF-C967-6218-C603-000000003702}3601932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000189458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:53.956{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1AB4B62152A99CC9A7A481E399BAB44,SHA256=89F964E2F079FD1403D95BF964AE50BEF26F6204E44835C7A00251D6ACB80E2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134592Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:53.634{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46372107FECA159046AC1CA5DE94214D,SHA256=A3A39A794AF8BA623B6744E29ACF2F5C39A744B1BC528ED1E63B606CEF678F9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:53.659{414E8EDF-C969-6218-C803-000000003702}59765532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:53.503{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-C969-6218-C803-000000003702}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:53.503{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:53.503{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:53.503{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:53.503{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:53.503{414E8EDF-B0AE-6218-0500-000000003702}416532C:\Windows\system32\csrss.exe{414E8EDF-C969-6218-C803-000000003702}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000189450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:53.503{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-C969-6218-C803-000000003702}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000189449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:53.504{414E8EDF-C969-6218-C803-000000003702}5976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000189448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:53.222{414E8EDF-C969-6218-C703-000000003702}58484652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:53.003{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-C969-6218-C703-000000003702}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:53.003{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:53.003{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:53.003{414E8EDF-B0AE-6218-0500-000000003702}416432C:\Windows\system32\csrss.exe{414E8EDF-C969-6218-C703-000000003702}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000189443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:53.003{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:53.003{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:53.003{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-C969-6218-C703-000000003702}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000189440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:53.004{414E8EDF-C969-6218-C703-000000003702}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000134593Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:54.634{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB95F2C6F1FE592E49371CE9B43806AE,SHA256=F350CDBC8F6E890CC75316EBF9CEE92A4720854E6755A3DA2C26C347204AC36A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:52.868{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local52624-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local389ldap 354300x8000000000000000189460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:52.868{414E8EDF-B0BE-6218-2B00-000000003702}2820C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local52624-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local389ldap 23542300x8000000000000000189459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:54.034{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C672236B6767E9E82F953BE6A97CE538,SHA256=3D7420A76AF5ABCF3D596AE728E5FB8B695C7B911D18080897704F7DC827FF14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134595Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:55.649{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F9DA75E0379DB0D170A50243BF2E3F0,SHA256=8A4788AB0D7E1CB4084DCFF81E5D430F9394E4ECA2DCDD4A87A617295DC09E39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:54.987{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FA82718E2CDC7976D071B30F391C086,SHA256=6DF39EC72AEFF24A55E02D06EE712C34E79352FF7C02D1CBAC014105F6C37BAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134594Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:52.610{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50929-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134596Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:56.696{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23576C7A3F5D925769C6955BC8424E33,SHA256=5EEAF2BAB2541A5CDA579E3E6604D405A2C0E5D14A65F23ADD26B77544E41CE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:56.987{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-C96C-6218-C903-000000003702}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:56.987{414E8EDF-B0AE-6218-0500-000000003702}4165324C:\Windows\system32\csrss.exe{414E8EDF-C96C-6218-C903-000000003702}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000189469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:56.987{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:56.987{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:56.987{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:56.987{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:56.987{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-C96C-6218-C903-000000003702}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000189464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:56.988{414E8EDF-C96C-6218-C903-000000003702}1072C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000189463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:56.003{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53B8E57B5B6F61A29DC558DC547E445F,SHA256=244D15A354AFB9172103FEAFD52BB7469DD55C3F46A2CC13D46BB2CCAAB49FB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134597Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:57.743{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA7A4B5EC6A0B183FDD4A45F6EFD55C0,SHA256=795ABD440C5E94C746900A4BD570C053FD4328EC30A0FBC818C65DB53422386B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:55.618{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52625-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000189472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:57.019{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A58B1698168DBFDDCC5977EA4E66EF5,SHA256=4F5C1E92098CE7E2211304ECE7122DBA6EB623ADB14DC23162BFBE7FDB60825F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134598Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:58.759{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44CBDF89DBA07AA73DE6941DF796A14E,SHA256=9B7A6E79215957DC38AEAFA3FE2FEDE1FD81AC674B76E523EF00F00D435C42BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:58.066{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A17CA6C60684A491F7D7AD9EC747186,SHA256=181F470B274FD5F04EE7A3CE289DC98F7B0731050EF976A8F6B9E8FDE53B9F37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:58.019{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93B025B37D989B5517C81CB63E6948D8,SHA256=A679C9967CCA03D2962881CF47A253366288932DE1C3054E05B51D49BDE482D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134599Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:59.790{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16FF0C8B3FB8B6C78213744A48DEC20F,SHA256=37D6445FA06EF6567F034979BA13CBE6F865A6C707EF2EA7EBCDA4F23AF0827E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:19:59.097{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51CDD045E78B9B6E187D7D06B1067F8E,SHA256=FDB495DF800F5E993917B289AE0EA43427A14685CB1E74106735A941BCB3F136,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134601Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:00.806{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=147089CC78D6476E174B5FE5EF767A81,SHA256=3540D67911BEB08F17288D51EFC3FA1B29D70E9323A05FCC4D90B4DBE4FB1A3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:00.144{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CAAC56D3E6779A2518873A969D989B3,SHA256=0F00C9A6507A7D9F398B6FE59CC3EA6AF599FF7B460B27D5716E08C0D8789C86,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134600Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:19:57.673{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50930-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134602Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:01.821{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=334E97F647E018573263B539AE91FEE4,SHA256=DAC78EDF370BA92065681DB880C48768524E845F029D6D239E29A38DA493D4EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:01.159{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14791B63559370B933EC7288C7ABFC8C,SHA256=E5F03A1B7B1B303623219C5BB9989DEF38FB5D199EFDF3DAF5F6BAD1E49BB4BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134603Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:02.837{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB4EC5D1EBD193E37BAC80BAD8609A9B,SHA256=92FC339363E81D89AC398C8F7AC2679014006A0B65570F6A6A72C7FC60BD98B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:00.650{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52626-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000189479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:02.160{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD2D6D3BCF008D883B7770BFD3835803,SHA256=8E62A853FCCB26F47A0DDFC6F5E4F4272D951862E6D7942E587256DEBB616F0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134604Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:03.853{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B14A2FF7AE790192030DACBFEB517B7,SHA256=E45D21D4183D9AD692D2E4F22EFA20ACA34C509CEAF5111363A2D83F0623B0B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:03.237{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07F75FB4F8B820AA92EDC4E0649D72C8,SHA256=8E2F88A6115086F0A983E79730E8FF31C1AC52A807FFD82F1DC434E151FE4342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134605Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:04.868{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C652412C9F4076AEFC2C687654E59010,SHA256=B6C9A240379733FCD1BE159C4A12ADDDDCC9C145B760A8FB791534A349CD7884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:04.237{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0DBD3640294B0F34D8DC4873A088998,SHA256=F3181792A26130E20EBDE25FD9C6EF446ADE224619270FFDF1CD1BC6CBF69668,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134607Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:05.884{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFCF5CC01CBE58CB6947CEC95AAB4EEA,SHA256=AD5B0755324734EC93719A7DAAB5CE0B8498A44C09FAEFBAC56656486DB3DC56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:05.269{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DA94DA25629B477C6E8DD0BFF563871,SHA256=2A133489C6DA0768A4500810A4571AEBEFF287990F26F3251948B09B07C5175A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134606Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:03.657{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50931-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134609Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:06.962{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F39759D0B3258A21FA6BB6E4F2153F00,SHA256=B2FD9318599504ACE9F8DF657873C6D620A7FDE625AE06497C074902632DB057,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:06.503{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38D41291CA100F6D006DE3B5DE76EE23,SHA256=C7213AF478833B6D659AEB778C37CAFF7B905A62698EF471A410D476EE9F142C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134608Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:06.042{6AAC6DF5-B0B2-6218-1D00-000000003802}1952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d7ccee276d30a4b6\channels\health\respondent-20220225103429-102MD5=FBD42F5F8AA0DC0DD6067820063FF10B,SHA256=AAA41009555F09EFB0ED817562D7125DD50A33AE671816E82835424EE5CAE232,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134611Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:07.977{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DA6EC0BFD25B16D4B774A6F9BB289D8,SHA256=F85D8A296AD16E9DE3B2AFF707067A221AFA38C4FCA5F61C264D4A8E7E6D8489,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:07.800{414E8EDF-B0AE-6218-0B00-000000003702}632804C:\Windows\system32\lsass.exe{414E8EDF-B0B1-6218-1400-000000003702}972C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000189485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:07.534{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50AD42B9A4D2ECF88720DC16AA16E96D,SHA256=DC9836A651E85EBE8B92E242E7C414CE95194DF03E6FAB75E1BAC36CF43D9796,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134610Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:07.057{6AAC6DF5-B0B2-6218-1D00-000000003802}1952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0d7ccee276d30a4b6\channels\health\surveyor-20220225103427-103MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134612Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:08.993{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCE8C858B9485D7574A2BBAE1C740C26,SHA256=DEDDEF3623F3FF759F3C22938741E0E50C09F6A4319B0204E5DE15FCBAE5B7B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:06.650{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52627-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000189491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:08.550{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F87997C9AFD5B382011546DEDDECB57,SHA256=39818ADE4389EAD1CF530E837068F0569579171A26ECBE7311F3A838C7CF47B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:08.206{414E8EDF-B0AE-6218-0B00-000000003702}632684C:\Windows\system32\lsass.exe{414E8EDF-B0AB-6218-0100-000000003702}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32475|C:\Windows\system32\lsasrv.dll+302fb|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000189489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:08.206{414E8EDF-B0AE-6218-0B00-000000003702}632684C:\Windows\system32\lsass.exe{414E8EDF-B0B1-6218-1400-000000003702}972C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:08.113{414E8EDF-B0AE-6218-0B00-000000003702}632684C:\Windows\system32\lsass.exe{414E8EDF-B0B1-6218-1600-000000003702}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:08.097{414E8EDF-B0AE-6218-0B00-000000003702}632804C:\Windows\system32\lsass.exe{414E8EDF-B0B1-6218-1600-000000003702}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000189501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:09.784{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8CB7E91482011826CE08F6EC168AD3F,SHA256=301AF6811442164396E05E04A8B71ACA3065F03CC1BCD090A29F4E8AD605B7A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:08.623{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52630-false10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local389ldap 354300x8000000000000000189499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:08.623{414E8EDF-B0B1-6218-1600-000000003702}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52630-false10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local389ldap 354300x8000000000000000189498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:08.608{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:5147:9304:4b1c:595fwin-dc-tcontreras-attack-range-478.attackrange.local52629-truefe80:0:0:0:5147:9304:4b1c:595fwin-dc-tcontreras-attack-range-478.attackrange.local389ldap 354300x8000000000000000189497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:08.608{414E8EDF-B0B1-6218-1600-000000003702}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5147:9304:4b1c:595fwin-dc-tcontreras-attack-range-478.attackrange.local52629-truefe80:0:0:0:5147:9304:4b1c:595fwin-dc-tcontreras-attack-range-478.attackrange.local389ldap 354300x8000000000000000189496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:08.314{414E8EDF-B0AB-6218-0100-000000003702}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:5147:9304:4b1c:595fwin-dc-tcontreras-attack-range-478.attackrange.local52628-truefe80:0:0:0:5147:9304:4b1c:595fwin-dc-tcontreras-attack-range-478.attackrange.local445microsoft-ds 354300x8000000000000000189495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:08.309{414E8EDF-B0AB-6218-0100-000000003702}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5147:9304:4b1c:595fwin-dc-tcontreras-attack-range-478.attackrange.local52628-truefe80:0:0:0:5147:9304:4b1c:595fwin-dc-tcontreras-attack-range-478.attackrange.local445microsoft-ds 23542300x8000000000000000189494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:09.128{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6616E22E64564226A69578B1FD09789E,SHA256=6E785D417AD61D14C6DA6FB09ADB527B0B2946CA615FFABB3FC44AD414924044,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:09.128{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D05A2706096DF6C54CB14CF71172A2DB,SHA256=5BA28762C1CB45DCC72F53DFDD9BC8FDB404219BA5CC6581E9067F2E6C00B171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:10.863{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC9E73B50B26DF562AA58739627CE61D,SHA256=A6D77DD6A79BA4890A90689C06EB7F7D177FB7FC700BEC0EE6FC630594E12544,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134613Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:10.024{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A99947EDDF010C22852088FC1BAC118,SHA256=382553DE8441680D7492D230EF387451A58321396B3CC29BE10EB5177DDD9C8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:11.941{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48E5F2A0D388A155CC199BFA69683E65,SHA256=DE42A42D2A8F0CCE82800281588B964B9FE4B3C8500952E4E2C8C97CD6491CBB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134615Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:09.673{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50932-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134614Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:11.040{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=121088D21AE237DE67A2B0BFAE6319C4,SHA256=170ED0A9694C23B3F4E158E1C2A9424BE7192E65CB6193D31BBD3F37E46079C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:12.941{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D96C70CE58C000D3CB6F93166C38964A,SHA256=543B258B90F12D07CB641899CF37BDC16901652810AD1E1469A1E1269888F55F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134616Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:12.087{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E24DB006B5D270AE13970F969BF9CE2A,SHA256=2E29F2932629FDB5296A8CF872DB888BD8D10D5E71B8F4E5447CAB53C15391C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:13.956{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02C77C4B3BDC3C8D366C1A22FC0B0FDC,SHA256=59CD00BCA16D18BFC1F56E78AEBDE5275E2BDB1422065D0182BC6DFE878062F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134617Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:13.134{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D63FCFBA8F6FA617145BDF6FFB79E906,SHA256=2D458FC6910A21337F3D7DC77563F72C2F8161EFB47B3921D1C25F4226A2518A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:12.602{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52631-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000189506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:13.066{414E8EDF-B0AE-6218-0B00-000000003702}632684C:\Windows\system32\lsass.exe{414E8EDF-B0B1-6218-1200-000000003702}500C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:13.066{414E8EDF-B0AE-6218-0B00-000000003702}632684C:\Windows\system32\lsass.exe{414E8EDF-B0B1-6218-1200-000000003702}500C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000189510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:14.972{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D268B943C57D1059115018C4FA29F400,SHA256=820433EF682BF3B16E06849EECD05F0115F6AC95D88DB19E4177B8D4FBA1B5A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134618Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:14.165{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F22DA34E081D670162D18B450BB9709,SHA256=E80BFC52F2D55BF251F09D532CB37335D453B0E12E12748A477695D06B659E95,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:13.574{414E8EDF-B0BE-6218-2A00-000000003702}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local58956- 23542300x8000000000000000134619Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:15.181{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=013A4436552796EBDC5E3E635CAE4FF7,SHA256=37DC184FD433C9C94A497795D25E59209DBE7379154F13B6948C9506DF175658,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134620Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:16.196{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAA80E5B9DECBC3F5B3764702E32E83A,SHA256=3C82CC42F8FF88C447ADCD2149970A9CB5FA38165A975A39F295E7769A50D6A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:16.836{414E8EDF-B0BE-6218-2400-000000003702}2716NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0cad71091a725587e\channels\health\respondent-20220225103441-102MD5=E961008872A85D9E7B2EDCDB9076BE5A,SHA256=4C7B4263F3F8553ACCFCCC53A0FA56737D447810FFCB4A43A3BA8D688A9FDFED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:16.003{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=241DDF8EE689C46AC934F3AEFC3108B8,SHA256=2EB44C22DFCB82EE7CDCF7F433DD8EA051F5FC5BE47E2FFC12F0DA28B22B660A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134621Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:17.228{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CF6C9B39056176F561A23343C6EB973,SHA256=D77037D10ED29CB6882B3E2AAAC629450FA6C0192BC9E6C03394E113CF50BF64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:17.838{414E8EDF-B0BE-6218-2400-000000003702}2716NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0cad71091a725587e\channels\health\surveyor-20220225103439-103MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:17.008{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D16453F098ADDE3D2C54B29E959519D,SHA256=B1FEB6E30EFA3E85C59D10A2BB6CAC2638270C2B13FCFF6F649BEA048C384BBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134623Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:18.259{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F804AD0BA71440DBF47202556D5BFDF,SHA256=25F976C5C716E623588E40C60D6556FC8911A862229FA4A72BCFF9787E437A68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:18.022{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FB7F133C933A41C53075C0B471082EC,SHA256=9F8064240A3B283A5D601660B8DD2C39625A25BD86797204155B33676102129B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134622Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:15.656{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50933-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134624Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:19.274{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6D30113E11C524C47B5135310393CC7,SHA256=5446498821F60DB44F02F260B300ACEA2B287BF74E76BD0C82B274DE75071146,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:18.590{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52632-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000189518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:19.822{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=391BCADA9FA2580BE03EF0BF0A51D65D,SHA256=507434BBDFC93F686B865717F70CECF4CD8B337C22FFD8275CD239F3534AE588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:19.822{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6616E22E64564226A69578B1FD09789E,SHA256=6E785D417AD61D14C6DA6FB09ADB527B0B2946CA615FFABB3FC44AD414924044,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:19.025{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E1CC49BC77FC6F8FD525B999B9522D1,SHA256=AFB31A0C7F912B48B58A719E9BEA66A74AC1FA5AB72533AF4B257757096FA05E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134625Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:20.368{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C710C546EEF161E8D34A71AFE4E5E0D5,SHA256=113F6F37083B0B1EFA847A85AF8EA7670891AAE4F4D66AB97DA7D3077E4963BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:20.041{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0D2C570725B2A25A0EAEA49F77A6A07,SHA256=BF088DE87AAE07AA55EB152851C729ABC7F64465E2AB9D7CFDB73FB43310BBF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134626Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:21.400{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D0C67EF8A90719FBB4BC1D4BDDF0823,SHA256=39AC2F8B6E2FC3FEE7AB51D19F8DF38D1C7A142BD21946300AEA9B60A8BF6169,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:21.057{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7F726FD69CBBBB070E42C4352B619D2,SHA256=79020D898DFE911E95EC7C3F3B2DD7B286BD7A7E896093B62D1C38B5699EECF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134627Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:22.446{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=478E366DAFBA29820262F71A4B4FAA87,SHA256=6763A19A64358F700014DA60AFD657D076E9349C9C74B7E959D7959F72037197,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:22.057{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ABBA68A30A47C302D4E89F1F8903CB7,SHA256=D64765BB6AD194C222D65EAC4BA9483E4A680093C101C5D050CFBA9A55366B52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134628Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:23.462{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CBEED983ECEB3A551B6294F5EA9F18A,SHA256=2C5718623ECF70A607DF443E49A580841C8DC824D33156AAEB7ED2C1C6614CEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:23.072{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9072C6BB7263798E676B0E000D75DD5A,SHA256=537C7442968444FE937FFC74B8900B57FA3F08BB9709A7CF168C1E31337A11DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134630Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:24.493{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FC677070A3416BD2945B00482041928,SHA256=EB0A19F727CC7F7F382EB24CCAEA148C5C4EBBABCF08989271FF3B724C21BD9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:23.593{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52633-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000189524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:24.088{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=917FBE4E0D36C1E866F962251778A31A,SHA256=70C673133C7F1116A06F328AC78FFC3705441FEA34A8AAACF62BD4529AAE9DBA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134629Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:21.656{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50934-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134631Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:25.509{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98BE3688A17ACBA8B4B8B73A8F6BE561,SHA256=47A4E86B674DEB5D2A97E64C5EFB140C40B9C13597D121A9ED56ABA98E51B28C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:25.494{414E8EDF-B0B1-6218-1100-000000003702}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1D1F70383802748080B012B698309306,SHA256=536EFA742A1BA0A40386D4F47D55259106C002D7E24795E09670CA13B85851D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:25.088{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A4586B0A73D6C29F1ACE091F17A651E,SHA256=4C47D2AF71F596E18F5D6EEF7BE6BA882FE556566BAC654D05B06293A8D2B79E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134633Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:26.790{6AAC6DF5-B0B1-6218-1300-000000003802}108NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=18F81E47B794EAA57CD5589514AFABAE,SHA256=58C06A85ADD36B61B968070C0B42DA13448E383DEA4AC4A8364A8181E7D4B8E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134632Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:26.540{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D8731184D842FBC5C4293C04FDC6C2B,SHA256=3C710597C00480FBBE8A8DA516484B32B4D064FC47653B8364AB8CE4FEF7FA5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:26.104{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19ED348D5A1B5A676FA800A2D44B4DE6,SHA256=6B48F5678FD2FFE339696991341072CB089DB6F7481C98AF6D2069B60B02CFD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134634Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:27.572{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0404C8AD09F103C7663755742B7C89CA,SHA256=A2EA6381D5DF1FB7B10844315398D4171894A13242878C8E3335A5A6A45CE413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:27.104{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BDE34823FF5AC6D0EE0017762BA12C1,SHA256=38F59A2798ABE385D5F3C22DCF3A8E9174B6208E748B9AA4A0C2576A784F7C62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134635Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:28.681{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFE52E3AFD1F5BF1291A3C814F10F92E,SHA256=FF4911E1A80192B89710FBCF660178B2EB19390077C035842367F8A9CD9D6C07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:28.119{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C76FED0917AFCF02C48BB3A149557EFF,SHA256=BBC37881A4EE4AECADB1C750D95624269E7C48AFA87D6070A63BD2FC9A57DCD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134637Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:29.759{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BBBE1D73461745BFB5225479F60B022,SHA256=D3E7FA0BE34F580DA5FE120B71A33303EFD7DD82C4516A90D53D5BA167024A79,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000189536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:20:29.479{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\6FC0DF5C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_6FC0DF5C-0000-0000-0000-100000000000.XML 13241300x8000000000000000189535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:20:29.463{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\5AC55B93-C186-4CC0-9DA1-B24F3F6A7ED5\Config SourceDWORD (0x00000001) 13241300x8000000000000000189534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-SetValue2022-02-25 12:20:29.463{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\5AC55B93-C186-4CC0-9DA1-B24F3F6A7ED5\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_5AC55B93-C186-4CC0-9DA1-B24F3F6A7ED5.XML 10341000x8000000000000000189533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:29.463{414E8EDF-B0AE-6218-0B00-000000003702}632804C:\Windows\system32\lsass.exe{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:29.463{414E8EDF-B0AE-6218-0B00-000000003702}632804C:\Windows\system32\lsass.exe{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000189531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:29.135{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75BC3DD47B250AFAD433B110553BABD9,SHA256=412E08A1B19089446F83650B8499744616EA1743D3F363A52FD50686BC04519F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134636Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:26.719{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50935-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134649Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:30.759{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56BDFF93E44FCC81FE3A63CA1D6A0023,SHA256=34FD28C0BE5232663600C8A373804424587CF2943575C0264118138E2F2F9A15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:30.322{414E8EDF-B0AE-6218-0B00-000000003702}632436C:\Windows\system32\lsass.exe{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:30.322{414E8EDF-B0AE-6218-0B00-000000003702}632436C:\Windows\system32\lsass.exe{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:30.322{414E8EDF-B0AE-6218-0B00-000000003702}632436C:\Windows\system32\lsass.exe{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000189537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:30.135{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E86C4EF03C1789043D3860F59EED5A6A,SHA256=CD9E5BB23B21BA32697FC93FEA0FF4BF52E6FA4CE88C439EB4AA3FB8517EA176,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000134648Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-SetValue2022-02-25 12:20:30.369{6AAC6DF5-B0B0-6218-0B00-000000003802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000134647Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-SetValue2022-02-25 12:20:30.369{6AAC6DF5-B0B0-6218-0B00-000000003802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00613909) 13241300x8000000000000000134646Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-SetValue2022-02-25 12:20:30.369{6AAC6DF5-B0B0-6218-0B00-000000003802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d82a39-0xb22d9439) 13241300x8000000000000000134645Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-SetValue2022-02-25 12:20:30.369{6AAC6DF5-B0B0-6218-0B00-000000003802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d82a42-0x13f1fc39) 13241300x8000000000000000134644Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-SetValue2022-02-25 12:20:30.369{6AAC6DF5-B0B0-6218-0B00-000000003802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d82a4a-0x75b66439) 13241300x8000000000000000134643Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-SetValue2022-02-25 12:20:30.369{6AAC6DF5-B0B0-6218-0B00-000000003802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000134642Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-SetValue2022-02-25 12:20:30.369{6AAC6DF5-B0B0-6218-0B00-000000003802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00613909) 13241300x8000000000000000134641Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-SetValue2022-02-25 12:20:30.369{6AAC6DF5-B0B0-6218-0B00-000000003802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d82a39-0xb22d9439) 13241300x8000000000000000134640Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-SetValue2022-02-25 12:20:30.369{6AAC6DF5-B0B0-6218-0B00-000000003802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d82a42-0x13f1fc39) 13241300x8000000000000000134639Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-SetValue2022-02-25 12:20:30.369{6AAC6DF5-B0B0-6218-0B00-000000003802}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d82a4a-0x75b66439) 23542300x8000000000000000134638Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:30.118{6AAC6DF5-B0B2-6218-2200-000000003802}1500NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4A396A40DE4AD844AFDFD6BFEE34209D,SHA256=ABC582D2644B8C5C1CF17206963A01B55D9A40BBB1979B03D8F2D216AA803ABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134651Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:31.775{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=398873EB43A6A761A1A3411411E0EDD0,SHA256=7A2C33F10B776A15682D227297FFFA7E0E076917F595AFDA6DDE1B73CD969179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:31.322{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B10BFE676493E38F4F4C95CEA227B8BF,SHA256=DF532BF73EF75E02E934A8A073D37F6674C549D3ED715B70F9B7FE578091F841,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:31.322{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=391BCADA9FA2580BE03EF0BF0A51D65D,SHA256=507434BBDFC93F686B865717F70CECF4CD8B337C22FFD8275CD239F3534AE588,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:31.322{414E8EDF-B0AE-6218-0B00-000000003702}632804C:\Windows\system32\lsass.exe{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:31.322{414E8EDF-B0AE-6218-0B00-000000003702}632804C:\Windows\system32\lsass.exe{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:31.166{414E8EDF-B0AE-6218-0B00-000000003702}632804C:\Windows\system32\lsass.exe{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:31.166{414E8EDF-B0AE-6218-0B00-000000003702}632804C:\Windows\system32\lsass.exe{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:31.166{414E8EDF-B0AE-6218-0B00-000000003702}632804C:\Windows\system32\lsass.exe{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000189544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:31.151{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D6FFC6FFC273B2979EE007AF1F4A83C,SHA256=E02BA47C02BB97E528891088117BEDF4170824674283C735F34C51E98CCE44C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:29.970{414E8EDF-B0B0-6218-0D00-000000003702}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:5147:9304:4b1c:595fwin-dc-tcontreras-attack-range-478.attackrange.local52635-truefe80:0:0:0:5147:9304:4b1c:595fwin-dc-tcontreras-attack-range-478.attackrange.local135epmap 354300x8000000000000000189542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:29.970{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:5147:9304:4b1c:595fwin-dc-tcontreras-attack-range-478.attackrange.local52635-truefe80:0:0:0:5147:9304:4b1c:595fwin-dc-tcontreras-attack-range-478.attackrange.local135epmap 354300x8000000000000000189541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:29.562{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52634-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000134650Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:29.610{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50936-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000134652Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:32.837{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CB44F1D2588FEE7452B38644429FB6E,SHA256=62BAE4E77A2415050E03D3E2B16BB9B2EC96FCA58845936BD27D15710390A289,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:32.291{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8E884B2B5697F700E947F492FF9F59F,SHA256=4534368A8CA68A92337CA1BF0E3C8545582F60A7BB1EB88B1A284EF340696916,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:31.671{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52637-false10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local389ldap 354300x8000000000000000189560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:31.671{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52637-false10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local389ldap 354300x8000000000000000189559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:30.827{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52636-false10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local389ldap 354300x8000000000000000189558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:30.827{414E8EDF-B0BE-6218-2300-000000003702}2708C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52636-false10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local389ldap 354300x8000000000000000189557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:29.992{414E8EDF-B0B1-6218-1400-000000003702}972C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:9880:66e5:9be:ffff-58860-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000189556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:29.992{414E8EDF-B0B1-6218-1400-000000003702}972C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:5147:9304:4b1c:595fwin-dc-tcontreras-attack-range-478.attackrange.local58860-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000189555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:29.989{414E8EDF-B0BE-6218-2A00-000000003702}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local51145- 354300x8000000000000000189554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:29.986{414E8EDF-B0BE-6218-2A00-000000003702}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local62773-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000189553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:29.986{414E8EDF-B0BE-6218-2A00-000000003702}2812C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local49183- 354300x8000000000000000189552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:29.986{414E8EDF-B0B1-6218-1400-000000003702}972C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local49183-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local53domain 23542300x8000000000000000134653Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:33.869{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00234CCD0414A9A56EE843D846D07F33,SHA256=1F05F80D4A4B58306493B8B58E8ECF1D72194E1BC01E989B76BA11D09DBE68C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:33.323{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A9F7466B06EF7F2C23FF915A47A2C18,SHA256=AA31F439D1FCA6F9982B9BAB906E8EC42FE3C6BED01DEC8170E3B05789534BD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134655Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:34.869{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C33387FCE713AB0E01AD44F2211F0D40,SHA256=B2D75B5766E052A851F6BD5A446247D36BED160C2F2430A5AFC98863365E9C12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:34.323{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B49B8591318BB642E08243C5B11F6CAA,SHA256=8E2112817A2DE8A30FFC02BB605F1A6F2CF5EE3DC9C3DAFA7A9EF0561F62EB16,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134654Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:32.719{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50937-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134656Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:35.884{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76BC82D89A1F5A849B79EBEC83C7DF66,SHA256=31832280ADB74849194DC8BF24D9738E547F9D1A7789BA2293F71CC3D25E7AB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:35.432{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=347F96B61C257345337DEFDEAE3CF84B,SHA256=A3FEA34C7AFD2588D41BFC0C5AEF53D71679D2F8CE5CB11C209242E0D361D086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134657Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:36.884{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44F688E4B61844D92F6F53668F078C12,SHA256=EE1113D8DB581603AE9C08BA06D5D9A06EF29A54A60274382A81BF8C02167696,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:36.432{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=182F74F0BEEE60D8B23AE47D1B47286C,SHA256=DAB35CA4389433A67113E01DE4E2749896C32E91D1429743A7B049B1D812D1A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:34.593{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52638-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134658Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:37.900{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0CBF190D5A7047F3E547BAF54640BAA,SHA256=738B2340655D75E481812DBB31557B419E2F131BD30FDB05DFE84A238B99CCE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:37.541{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AA1D54B5E8EDFB15BDD811D355C6B88,SHA256=B79B0C5AA6C811F9ACFCFA08AD7C51FC7583E29F2830A040CF1B7D68844A2A74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134659Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:38.947{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4288926F0B33795F60C4142E278B31B,SHA256=6D7CF8B7C67B6D726C9F6140E0D9877BBC71E5ED7398DE321858D5FF7426DB9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:38.573{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C02B8E5BEA2A3D9B36908C34363F0DC6,SHA256=AA2CEA13D56699B84544361DD50F0C8057A3AA86DD0B04A311B2D10B73A77140,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:38.494{414E8EDF-B0BE-6218-2900-000000003702}2792NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=4A396A40DE4AD844AFDFD6BFEE34209D,SHA256=ABC582D2644B8C5C1CF17206963A01B55D9A40BBB1979B03D8F2D216AA803ABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134660Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:39.978{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5952DA9B835B96E27AF507AA22E61C7,SHA256=57F705B019BBE3B2BCB0B8007261748EA673A36B9F4189A1E842F9BA7E010924,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:39.588{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1794AA2DB9DE87C8942926D43402829C,SHA256=1490783E974EB713C270848D67FFD7243C09AE47D562126639D7120A448C5A7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:40.619{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D81CE8F9D222F429EC5AA23856C30D2E,SHA256=8780ED8EC7BA78C4F7DFB4316563C432AF047CD57EAFA59E43B84266E3513F7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134674Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:38.672{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50938-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000134673Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:40.666{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-C998-6218-7B03-000000003802}1036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134672Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:40.666{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134671Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:40.666{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134670Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:40.666{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134669Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:40.666{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134668Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:40.666{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134667Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:40.666{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134666Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:40.666{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134665Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:40.666{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134664Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:40.666{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134663Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:40.666{6AAC6DF5-B0AF-6218-0500-000000003802}424440C:\Windows\system32\csrss.exe{6AAC6DF5-C998-6218-7B03-000000003802}1036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000134662Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:40.666{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-C998-6218-7B03-000000003802}1036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000134661Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:40.666{6AAC6DF5-C998-6218-7B03-000000003802}1036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000189572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:38.984{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52639-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000189574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:41.698{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A29BEE08C47E5164FB10D6B3D5AD0A38,SHA256=89F4364F30911800773429E445414E7A3C8C66A6E54B1E05B518773D11A8618D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000134704Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.837{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-C999-6218-7D03-000000003802}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134703Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.837{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134702Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.837{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134701Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.837{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134700Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.837{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134699Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.837{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134698Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.837{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134697Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.837{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134696Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.837{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134695Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.837{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134694Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.837{6AAC6DF5-B0AF-6218-0500-000000003802}424540C:\Windows\system32\csrss.exe{6AAC6DF5-C999-6218-7D03-000000003802}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000134693Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.837{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-C999-6218-7D03-000000003802}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000134692Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.838{6AAC6DF5-C999-6218-7D03-000000003802}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000134691Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.681{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C236A4096238542AE4D78FF349A531A,SHA256=907BF32EBF0BEEF38194B30A383EF063B8D15CA485DCCA5B5E1074DBCBA1D39C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134690Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.681{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5BD84E29BDF16B306489AFFB1C1B733,SHA256=0635CEA69AD67B6717CF7D5A12C74C0D46ADA3EE5B8EC085DC981A2A7ABD470F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000134689Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.603{6AAC6DF5-C999-6218-7C03-000000003802}3012596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134688Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.337{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-C999-6218-7C03-000000003802}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134687Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.337{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134686Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.337{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134685Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.337{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134684Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.337{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134683Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.337{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134682Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.337{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134681Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.337{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134680Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.337{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134679Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.337{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134678Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.337{6AAC6DF5-B0AF-6218-0500-000000003802}4241012C:\Windows\system32\csrss.exe{6AAC6DF5-C999-6218-7C03-000000003802}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000134677Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.337{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-C999-6218-7C03-000000003802}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000134676Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.338{6AAC6DF5-C999-6218-7C03-000000003802}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000134675Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:41.009{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC339E74DF027250D08B3A49914EA4C9,SHA256=98480795D7A9CFBC47387FA192BB81385CBE5B90D10BDCE53A1EF1A779F4DB37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:42.745{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B2B210CB53B3D85096F451089E19BD9,SHA256=FC4EF9CD64665A05F3E2953081F10499BAEE0319F4704219D860F43CFABF3600,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134706Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:42.838{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C236A4096238542AE4D78FF349A531A,SHA256=907BF32EBF0BEEF38194B30A383EF063B8D15CA485DCCA5B5E1074DBCBA1D39C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134705Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:42.134{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=972B08ABDD43FCE250ED40D2C7EF78C1,SHA256=79706510F0E49F929599B9E493E6639F9EB7EBE1EC1636AF09FBBC6A50F554EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:40.546{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52640-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000189577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:43.776{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DB334E6E59EBE0AFDC8A76A65CC49BB,SHA256=F2E8498C48E9C7A3892B7D57FADE68503081FB164AFCB0DB4FAA923BE6B71EA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134707Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:43.150{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDD13A49690478246EDC2EA88FCBED30,SHA256=D1932FBAC8096B436A5C8EDEACCE5AF8CA2DDE2DF8972952CAA1B8F804225310,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:44.823{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D886FB41A049B48030D7218781F85984,SHA256=846E4D6D24D4EDAC52DF89DA9945F0ECD602B242AB334AC35F5C4D0990772BED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000134722Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:44.916{6AAC6DF5-C99C-6218-7E03-000000003802}37041176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134721Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:44.728{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-C99C-6218-7E03-000000003802}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134720Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:44.728{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134719Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:44.728{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134718Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:44.728{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134717Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:44.728{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134716Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:44.728{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134715Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:44.728{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134714Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:44.728{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134713Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:44.728{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134712Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:44.728{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134711Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:44.728{6AAC6DF5-B0AF-6218-0500-000000003802}424540C:\Windows\system32\csrss.exe{6AAC6DF5-C99C-6218-7E03-000000003802}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000134710Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:44.728{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-C99C-6218-7E03-000000003802}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000134709Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:44.729{6AAC6DF5-C99C-6218-7E03-000000003802}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000134708Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:44.150{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3396AF27AB87C9BE23C528E5BBCAA152,SHA256=58B4879BBA15150F830BFD29F7AE93768FF653B9B71834A10A387E3CC5A5011B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:45.838{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A56B3F59E53F4EA5183537821BFBD62,SHA256=63C05A313D36AE61F4B7435449BBA3123E0E440E2357382990387FD4FE3B10F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134738Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:45.744{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A1EC8AEC3FC9CE2D3C20422A00F5479,SHA256=755E69EB94BFC3E9BAE91439D0193A2FACB38395C84CEE0162C81ED154D15C91,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000134737Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:45.666{6AAC6DF5-C99D-6218-7F03-000000003802}6082636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134736Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:45.400{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-C99D-6218-7F03-000000003802}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134735Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:45.400{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134734Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:45.400{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134733Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:45.400{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134732Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:45.400{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134731Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:45.400{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134730Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:45.400{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134729Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:45.400{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134728Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:45.400{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134727Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:45.400{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134726Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:45.400{6AAC6DF5-B0AF-6218-0500-000000003802}4241012C:\Windows\system32\csrss.exe{6AAC6DF5-C99D-6218-7F03-000000003802}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000134725Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:45.400{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-C99D-6218-7F03-000000003802}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000134724Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:45.401{6AAC6DF5-C99D-6218-7F03-000000003802}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000134723Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:45.166{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB68908717772B4D7A52B95FDE8FA484,SHA256=7B1824BD44624F830AC3FAD62B2BA26CF9206C6FA49E83D4C0C18D52C2EEC072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:46.963{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B908D71EEC4DA6B8455220901793D63C,SHA256=33DD59110C66529C87F5603662A88D168738EDAD60FA2080D3D4A1C3FCE99969,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000134753Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:46.884{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-C99E-6218-8003-000000003802}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134752Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:46.884{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134751Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:46.884{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134750Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:46.884{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134749Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:46.884{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134748Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:46.884{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134747Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:46.884{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134746Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:46.884{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134745Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:46.884{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134744Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:46.884{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134743Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:46.884{6AAC6DF5-B0AF-6218-0500-000000003802}424540C:\Windows\system32\csrss.exe{6AAC6DF5-C99E-6218-8003-000000003802}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000134742Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:46.884{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-C99E-6218-8003-000000003802}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000134741Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:46.885{6AAC6DF5-C99E-6218-8003-000000003802}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000134740Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:44.594{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50939-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134739Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:46.197{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30753B3183A9F6F8BA1F88758A75DDB8,SHA256=08C093A07B3FA3297AD5B7519378DFC5C8B0964B494EF9C179BC2DA463594561,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:45.593{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52641-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134756Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:47.900{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56FB3721FC405E41BF4EB075C2DA0A18,SHA256=876510EB297B623E8B407DCFE64478BA371395600F8D013E2DAEBB14440F98BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134755Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:47.228{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=002040D72E1A49C0E4C641493E2A6CA9,SHA256=A3FD105F647A111A687015156D793FFC9470CD0B634BADF098A8720C266BC0FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000134754Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:47.166{6AAC6DF5-C99E-6218-8003-000000003802}35802660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000189582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:48.010{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC2AC56EBF10225271A55B0AF8AE316D,SHA256=33BBCFA135E1E905DCDFA77293F3657806206AA3466EBD7A8682B8793B5D800E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134770Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:48.244{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D995B17F0DFE99AE6FE0C70422211031,SHA256=0175E68FF68A8BA0C0A86A951C69D88BFEFE2C10DE86F398E346E5C1C2EB9D98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000134769Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:48.166{6AAC6DF5-B0B4-6218-2B00-000000003802}28082828C:\Windows\system32\conhost.exe{6AAC6DF5-C9A0-6218-8103-000000003802}1784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134768Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:48.166{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134767Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:48.166{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134766Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:48.166{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134765Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:48.166{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134764Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:48.166{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134763Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:48.166{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134762Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:48.166{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134761Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:48.166{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134760Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:48.166{6AAC6DF5-B0B0-6218-0C00-000000003802}7362968C:\Windows\system32\svchost.exe{6AAC6DF5-B0B2-6218-1F00-000000003802}1040C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000134759Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:48.166{6AAC6DF5-B0AF-6218-0500-000000003802}4241012C:\Windows\system32\csrss.exe{6AAC6DF5-C9A0-6218-8103-000000003802}1784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000134758Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:48.166{6AAC6DF5-B0B2-6218-2200-000000003802}15003888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6AAC6DF5-C9A0-6218-8103-000000003802}1784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000134757Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:48.167{6AAC6DF5-C9A0-6218-8103-000000003802}1784C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6AAC6DF5-B0B0-6218-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6AAC6DF5-B0B2-6218-2200-000000003802}1500C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000189583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:49.151{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83C47A45818A24A90E765730C29B6B3B,SHA256=7B27D1855942FE856D081968F05B32C6DA176BD4E21A0C6E969E4022437CA4A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134772Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:49.244{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13139EBEB26EED15FD83085B0A97423B,SHA256=82AF8D652AB4E3DB00E2619898CE1503ECB388FD2B5B4ADDA40CC1F06E889F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134771Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:49.213{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48FC9D93B2825A51BC4DF90AB7223436,SHA256=F5194E9B237CDC0AF72628F8060B398DFFED5A82C500D3A44A3F6D05A595EC46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:50.338{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-C9A2-6218-CA03-000000003702}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:50.338{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:50.338{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:50.338{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:50.338{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:50.338{414E8EDF-B0AE-6218-0500-000000003702}416532C:\Windows\system32\csrss.exe{414E8EDF-C9A2-6218-CA03-000000003702}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000189586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:50.338{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-C9A2-6218-CA03-000000003702}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000189585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:50.339{414E8EDF-C9A2-6218-CA03-000000003702}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000189584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:50.152{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=910D4D65D480FCD3E5E5C873FE725216,SHA256=3A93E9BC8EE33A9FF4BB60C4A6E7C9E70CB9E5A8363A125F3B5A37EA89143A85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134773Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:50.260{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EAECCD0174FEA2D59F773151AF550BF,SHA256=122C80DB605C5821E3B928FFC08C368B8CA3A3A9D433C241F8EAE9B03114717C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000134775Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:49.766{6AAC6DF5-B0C0-6218-5B00-000000003802}3976C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-933.eu-central-1.compute.internal50940-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000134774Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:51.291{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4922F0D331DD9170A1720860BA23F3C6,SHA256=92231DFA5101177791AE2D1617ACD966A7D3DA97A377283590DBFF3CECAC4FA0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:51.854{414E8EDF-C9A3-6218-CC03-000000003702}1012596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000189612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:50.687{414E8EDF-B0C9-6218-6A00-000000003702}3800C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-478.attackrange.local52642-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000189611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:51.620{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-C9A3-6218-CC03-000000003702}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:51.620{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:51.620{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:51.620{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:51.620{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:51.620{414E8EDF-B0AE-6218-0500-000000003702}416432C:\Windows\system32\csrss.exe{414E8EDF-C9A3-6218-CC03-000000003702}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000189605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:51.620{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-C9A3-6218-CC03-000000003702}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000189604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:51.620{414E8EDF-C9A3-6218-CC03-000000003702}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000189603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:51.401{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C8E929EC13BE5E86E68B1AEDB0AAB77,SHA256=801A865E551EBF2C723D0BC03CEE9CCA1213FB30A5C1137219011DF5FD0763A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:51.385{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B10BFE676493E38F4F4C95CEA227B8BF,SHA256=DF532BF73EF75E02E934A8A073D37F6674C549D3ED715B70F9B7FE578091F841,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:51.229{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=197F3E98712A8AC97156D30243C9E7E8,SHA256=488E5D326AC8EA7B4278839738453DE3D65446DACB9588A2C5002BA7238A71ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:51.010{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-C9A3-6218-CB03-000000003702}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:51.010{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:51.010{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:51.010{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:51.010{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:51.010{414E8EDF-B0AE-6218-0500-000000003702}416532C:\Windows\system32\csrss.exe{414E8EDF-C9A3-6218-CB03-000000003702}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000189594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:51.010{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-C9A3-6218-CB03-000000003702}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000189593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:51.011{414E8EDF-C9A3-6218-CB03-000000003702}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000189624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:52.620{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C8E929EC13BE5E86E68B1AEDB0AAB77,SHA256=801A865E551EBF2C723D0BC03CEE9CCA1213FB30A5C1137219011DF5FD0763A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:52.370{414E8EDF-C9A4-6218-CD03-000000003702}39203252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000189622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:52.292{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=573B02DB9ED6649B1C34CE057AFDD4F0,SHA256=E6D2376D354EFBBD691000C41D6093B5F97621A2A425D6ED1FBD98D475F14ADA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000134776Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:52.322{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84AECB2B36B9E1B05DF617F54FDB9177,SHA256=8AFA823E2A6CA6A1346C99D2E8DA2677E4325D15E8F4BF0AA9BD078A1706DBCE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:52.120{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-C9A4-6218-CD03-000000003702}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:52.120{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:52.120{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:52.120{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:52.120{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:52.120{414E8EDF-B0AE-6218-0500-000000003702}416372C:\Windows\system32\csrss.exe{414E8EDF-C9A4-6218-CD03-000000003702}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000189615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:52.120{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-C9A4-6218-CD03-000000003702}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000189614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:52.121{414E8EDF-C9A4-6218-CD03-000000003702}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000134777Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-933-2022-02-25 12:20:53.369{6AAC6DF5-B0C8-6218-6C00-000000003802}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DF1DA8F43B9DD7CA5F49A158D9D144D,SHA256=60B8D7E37299054F0509F215136C78F7BEE1BABCF2295FDB9BE51E6F967A2547,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:53.760{414E8EDF-C9A5-6218-CF03-000000003702}38481304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000189644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:52.874{414E8EDF-B0AE-6218-0B00-000000003702}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local52643-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local389ldap 354300x8000000000000000189643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:52.874{414E8EDF-B0BE-6218-2B00-000000003702}2820C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local52643-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-478.attackrange.local389ldap 10341000x8000000000000000189642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:53.526{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-C9A5-6218-CF03-000000003702}3848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:53.526{414E8EDF-B0AE-6218-0500-000000003702}416532C:\Windows\system32\csrss.exe{414E8EDF-C9A5-6218-CF03-000000003702}3848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000189640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:53.526{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:53.526{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:53.526{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:53.526{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:53.526{414E8EDF-B0BE-6218-2900-000000003702}27923692C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{414E8EDF-C9A5-6218-CF03-000000003702}3848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000189635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:53.527{414E8EDF-C9A5-6218-CF03-000000003702}3848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{414E8EDF-B0AE-6218-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000189634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:53.354{414E8EDF-B0D1-6218-7300-000000003702}3292NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D9F5F2BB02CF93647D02FF931AA9C55,SHA256=5CE9C9CC1F0D64DB6A94B594095AB937276D400A195C9342CD79DB1ED91D8E7A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:53.260{414E8EDF-C9A5-6218-CE03-000000003702}28042216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{414E8EDF-B0BE-6218-2900-000000003702}2792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:53.026{414E8EDF-B0C0-6218-3300-000000003702}31843204C:\Windows\system32\conhost.exe{414E8EDF-C9A5-6218-CE03-000000003702}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:53.026{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:53.026{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:53.026{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:53.026{414E8EDF-B0B0-6218-0C00-000000003702}8406112C:\Windows\system32\svchost.exe{414E8EDF-B0BE-6218-2500-000000003702}2724C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000189627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local-2022-02-25 12:20:53.026{414E8EDF-B0AE-6218-0500-000000003702}4165324C:\Windows\system32\csrss.exe{414E8EDF-C9A5-6218-CE03-000000003702}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000189626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-478.attackrange.local<