23542300x8000000000000000284379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:00.210{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6CC858A7D8E0852740AEC48263E2578,SHA256=67B59EA3130E3FCE6172E40B845B5C4F97B156C14C4D742189F453C85B0E8DB8,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213589Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:00.129{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA78F6A36EFD3E201206A6593A7CB12E,SHA256=801515DD1ED06E0943A249FD27ABBF017BCD1B1F3795BEFBE38DF5AE236DFA9A,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000213591Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:32:58.659{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51130-false10.0.1.12-8000-
23542300x8000000000000000213590Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:01.145{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A916A255B220CC6992CD9C8830B9F115,SHA256=8B000BBDEC9428A68492C2813B572FD74CD24AB895CFA510C6FE3A7A8AEEA62B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:01.225{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F85DF96A4D5CF8E53EA4595225F17A5,SHA256=FB85E944B763E586396027D847EC15B777A1B970157BAF6D10FFC90BCFBACF3C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213592Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:02.379{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=828DF729EB3487C482B5CDE371FA85AE,SHA256=1B5DDCDFF5BCE862D266B3CA2861B388EE6E6C0A48E789F44EF27E1247F2FB3E,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000284398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.804{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0D5E-6216-8804-000000003802}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.804{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.804{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.804{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.804{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.804{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-0D5E-6216-8804-000000003802}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000284392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.804{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0D5E-6216-8804-000000003802}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000284391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.805{C8EA50B7-0D5E-6216-8804-000000003802}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000284390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.272{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B40D46DAF436CF912A40B96E2C258A8,SHA256=27A97B146C7407BCAE80EE3F71D0F27951E48F6EF4A7B0B0F1497376CC9BDB1F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.257{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4C9374267C661A4FC3924AAF22AFE1F,SHA256=897050DF5506115047AC90B2C94CF95621DD7EC9892CE962A61FED8315AF5872,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000284388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.194{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0D5E-6216-8704-000000003802}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.190{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.189{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.189{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.189{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0D5E-6216-8704-000000003802}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000284383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.189{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.189{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0D5E-6216-8704-000000003802}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000284381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.188{C8EA50B7-0D5E-6216-8704-000000003802}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000213593Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:03.395{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A70A25D41F7A3727D703EF902F8F8C35,SHA256=E9AB6CDCF931BCCC5E80B60D4E9D4D58876A5C93601EA818AFD4C8A35EC03A03,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:03.267{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98E6DCE18721CD585C58DB0E5AF44835,SHA256=FB310E87F02158F75F16B237F3E3588626D235A74C496F9755C61B775F455EA3,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:03.199{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=877169D7318C972019E80A55CBA4FC2E,SHA256=CCFE473A09F8F92068B2A7CF13DA14D5B55F6228BED8CCC4AE8A8362B55312C2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:03.199{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB7787397C9E3AB345CF5868ECDB908E,SHA256=CBB6C2D7D0988B455EEEADACD2DD18E7AAD59BDE8959B393E6436B77D817358F,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000284399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:03.102{C8EA50B7-0D5E-6216-8804-000000003802}36924884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000213594Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:04.410{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFB160DC28FAC6A6D4FC4501EE8460E6,SHA256=9FB4521255807DF072D3F79F013E1B90CC44E1716EF7EB26F28CDEDAFA857AF9,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:04.603{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=877169D7318C972019E80A55CBA4FC2E,SHA256=CCFE473A09F8F92068B2A7CF13DA14D5B55F6228BED8CCC4AE8A8362B55312C2,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000284411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:04.267{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0D60-6216-8904-000000003802}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000284410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:04.267{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72899BA97A74C29D4CBD9ABF8F76C879,SHA256=FB5EB529052774D8CB3ECEE504C436E4D5B78853958C77531CE383C4F9E9EE38,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000284409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:04.267{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:04.267{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:04.267{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:04.267{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:04.267{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-0D60-6216-8904-000000003802}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000284404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:04.267{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0D60-6216-8904-000000003802}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000284403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:04.268{C8EA50B7-0D60-6216-8904-000000003802}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000213595Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:05.598{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BD113B83E0D37E8ACE2F24668DE2FDE,SHA256=D4914A8B20055AC33F1798FFA91BB532CF2EC862E7EBE0FCD18804E818C2BAF0,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:05.305{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C5CC9888C8A7E1A8BF76E882EAEB391,SHA256=2230EF3AAC6376906FF0065009BF24D2D788AD00ED4B1E468CD4D68D4BD17213,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000284415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:03.046{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53171-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap
354300x8000000000000000284414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:03.046{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53171-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap
354300x8000000000000000284413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.644{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53170-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000213596Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:06.614{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=843A35705D6A4F831C027A4A4054C33D,SHA256=D8EDE0F8C51EB1822201E0DC71E9FA9525B6E828F2F7F8B263E46EC5A9EE25FC,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:06.320{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B620D7B79564DB4FCCB705FC8D138654,SHA256=7EF28B5D2ED93581DB88F4D0EAAE337E57B7808515D74947117C3B86A52BD192,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213597Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:07.614{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=749EF04AE8530265F0F33439654460A6,SHA256=FC503228F9BE23FC38765A8ECEF79A628599C12433DB6D1B82EB521732244CE0,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:07.352{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59B641F1C45AFAED5765C58D963E1030,SHA256=3BC8A09608942EFDB49A75056A76851070D62AC0E3CABC8C74D1DFDD59CF59E6,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213599Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:08.629{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1D97881720F5B012A3744BFA28C21C6,SHA256=E1A7705A32EFAF4DE86BD6B25FAB05CC469028BA605557C46B854B655B2BFB16,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:08.383{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57C9E358754FFCF9EC3BE1B0E8A1ED59,SHA256=B057B205B762D17B6D3E65BECB608A681ABD9809EB11D775002AFB643952C7F3,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000213598Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:04.643{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51131-false10.0.1.12-8000-
23542300x8000000000000000213600Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:09.645{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E29ACC3E54C20203AFE93AFD2DBA5AB,SHA256=E4B04A4C606FF278062DEAD03DFC846EF5A9EC7E95834AB2DB6EECEF7A7C99A3,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:09.436{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA60036E1069536C846B6283F11DD3AB,SHA256=09655B3985A4AB667A444A46690E00DFEF9B4C076B3E393DF64A9EDE99B06D55,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213601Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:10.754{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1F1B49D6FC16038DA15CE526AC6F78D,SHA256=C214D38A4B830CC9EDA718CBFD77CA350B0D26C81C07C4A9ED4B4BB93D80572B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:10.451{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7488A3205C2CD8EE18E95EB4BEA44D5D,SHA256=488A50070C1472B39B4589CAD98CF66648C92ACC1E1C1FF5BB6BA5083894BF86,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000284421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:07.730{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53172-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000213602Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:11.832{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA8843099BF5BB1BCC87989FB97F139A,SHA256=1C789B2E6D656FE3032E998695A1068EFDCC15021E2D0964D7D5E873064DBD5C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:11.451{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FD3669352E4EA4F9647BB4D66F34A96,SHA256=105F61BE2F382F2193AAA9B4A2AFFFFB79CCD6C95B14F2312834D37F3A02B879,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:12.466{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F33D18B14B22A444FCECDF792728AF1,SHA256=10ADA8A1EE48D9A94455B58A08914C3547306CC5D7338D1317F0BD3ECDA785E1,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000213603Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:10.628{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51132-false10.0.1.12-8000-
23542300x8000000000000000284425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:13.500{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=156E472F676ECF39BA541A84226BFA0F,SHA256=1D589BCF1C8A6789D223232929C72E70DBE7ACA49E45EC6D98CB3A94655E903A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213604Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:13.051{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94F67B23FF63FDC035471751CF8D1F3E,SHA256=1FC700902AB5ED3E66FE53FAF75B243DBABF88D47395DEF27782F16D88BEEF1D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:14.518{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99D1CDBE504843ADE2B31438CB6E1458,SHA256=64BDFE999C5A6E93BB69C31D6AF234C2F14E660E19F29D0D8D1A983EA7361340,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213605Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:14.285{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D5A2396832BE32F70F5DE133E6F3C3A,SHA256=45D9925AF5DED69736093D0B7855A7147B4685CD4AA9A17A897C1B1316F30058,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213606Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:15.520{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B70DDBF96C684D8020A93D3A25699646,SHA256=2771FF3DDDE5B1B4AA79EEB9111CB689981279E7EE490BE5ACA0B5279E04B361,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:15.538{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=463BB897549F03ABEE6AD16DBB2AEFEF,SHA256=F2B30107D6892DDDF8008BA039638F9117E9D3B0D24DF6D7A91872AD0C04AA28,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213607Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:16.613{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCB69A5382FBFA8B1D336A87265368EA,SHA256=0B12E21D71C969A7C8FE6BB3DAA13DA5F712254CC7DC0389CC47C5A010757D9A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:16.538{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C82E724323548AE8D118D6FD031286F,SHA256=181D82978EAB5237E565C1C131B12A7C9CA7DB4213A470CAA170926DA38DA43A,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000284428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:13.712{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53173-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000284430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:17.568{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C34C064DD8CFC49308B3E44ADFCD7B4E,SHA256=22D05F69E37F05765A9ECD57B4C65B2C9CBE751025E2B0D0FCDA0E9C4E250102,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213608Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:17.645{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7ABE88C037B2C76ABD749EFADFC463B,SHA256=2D9E1AA177E22A947A0597677B9E9568421DE9F7A23501B06A6A1EA464DE578D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:18.605{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7083A44DEB8113AABC0130569F0CD3ED,SHA256=E4A5649473347E8154310F44C0975570C2A4B3F96B279BA135A0A2BC743FFA0C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213609Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:18.645{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86A46DE1AE06CB8349F3CA73D18DB200,SHA256=7D9CCEB818BEDE91E0F563B245D069964C82F15A5466C2BA333C7C9EFA17F79A,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000284440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:19.767{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0D6F-6216-8A04-000000003802}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:19.767{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:19.767{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:19.767{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:19.767{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:19.767{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-0D6F-6216-8A04-000000003802}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000284434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:19.767{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0D6F-6216-8A04-000000003802}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000284433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:19.768{C8EA50B7-0D6F-6216-8A04-000000003802}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000284432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:19.636{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CBCEC9E1137D0431707F05733E02569,SHA256=DEC0E2B4F16C34589EC134F8EBC92D7D47BA185F9BA9C6A8061CC34B39DB2463,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213611Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:19.660{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE56F0E781244C2168D19EB58D76C4E1,SHA256=1E0A3612274DE2712B34B37EC7255F67D30DCD55A65A3ECE770AB035E6BCBA96,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000213610Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:16.643{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51133-false10.0.1.12-8000-
23542300x8000000000000000213612Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:20.754{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2371C8D1A6F7F1CCE7D917ED01C83180,SHA256=EA43DDCCB87CD9CE9C749B85062D40E8851A2FA85E42A3EAC9BBD5A57C50FEA2,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000284461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.941{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0D70-6216-8C04-000000003802}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.941{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-0D70-6216-8C04-000000003802}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000284459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.941{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0D70-6216-8C04-000000003802}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.941{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.941{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.941{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.941{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000284454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.942{C8EA50B7-0D70-6216-8C04-000000003802}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000284453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.771{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2698DAEE11FFC3B336CFBF007E1B0F12,SHA256=29FB3EDD8F25E2CD74896D411399A2F4F880D0A1E4CF9F2E2E3B4E12FF599C5C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.771{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=586A8706309D2CF112F31AF4D58EFF3B,SHA256=EC9EDB3ED26A2EC95234409C40C6247EB60340836479BBABB8AC0B76BDF64094,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.640{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=760D694830ECAFE1ABC2A4602D1DEC24,SHA256=4E8E1950F33A0A15207318C8B66811E08FFBECA35B89DE0052478D29FEF8AB1C,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000284450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.592{C8EA50B7-0D70-6216-8B04-000000003802}52405620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.273{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0D70-6216-8B04-000000003802}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.273{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.273{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.273{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.273{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.273{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0D70-6216-8B04-000000003802}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000284443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.273{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0D70-6216-8B04-000000003802}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000284442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.274{C8EA50B7-0D70-6216-8B04-000000003802}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x8000000000000000284441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.028{C8EA50B7-0D6F-6216-8A04-000000003802}44961960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000213613Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:21.770{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5AADD944D4AAB32DF6FFE4D64EC7898,SHA256=29DDFAA43B0E6C916DE7366B64B1A5FABFFB5EA0396232B0614D0135C10DC88B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:21.962{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2698DAEE11FFC3B336CFBF007E1B0F12,SHA256=29FB3EDD8F25E2CD74896D411399A2F4F880D0A1E4CF9F2E2E3B4E12FF599C5C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:21.661{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FB0DDC88D78C0226DADEBDF93142926,SHA256=C7CA9A2A78E8829087A3C17402142736267D4790AD70768EC9C816FF5F289534,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000284471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:21.530{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0D71-6216-8D04-000000003802}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:21.530{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:21.530{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:21.530{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:21.530{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:21.530{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0D71-6216-8D04-000000003802}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000284465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:21.530{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0D71-6216-8D04-000000003802}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000284464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:21.531{C8EA50B7-0D71-6216-8D04-000000003802}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x8000000000000000284463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:21.287{C8EA50B7-0D70-6216-8C04-000000003802}55242816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
354300x8000000000000000284462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:19.549{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53174-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000284474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:22.676{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E736F05F2250653244AE025AABBB5619,SHA256=BA11D7009E5A54AB69E841BE2A987396C20EFC2AF251C809C493EE89A7EFFA68,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:23.677{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F30BE3E9AB07787303B3AE8463EC227,SHA256=67465756B50754F4B32F09594A1FA0B21E5A9729FFF1EF14C672E4C645D3F2CF,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213614Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:23.004{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C61734FB8B0EE1EFB7B6DF7FACABADC9,SHA256=261B53326B4C8E1AFAC64EFD839E0C281071BEC9CB07ED5985B4F16010875348,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:24.696{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38BE5D6037CEF6A942107582BA3D921C,SHA256=19929E0102B913368E9F9E19A4D0CE8AAAEC4057AB1B58CBE5C5CDA8FD9EE247,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000213616Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:22.690{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51134-false10.0.1.12-8000-
23542300x8000000000000000213615Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:24.145{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8882B8C53E5A470C6CED00ED27161925,SHA256=60D7E5FD923C49CA5E71972F85DC8D260942937370F43E371C21ACF60A7AE004,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:25.715{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0EE1F6F551F03F57310AC487424F697,SHA256=D00DDCCCE7FB849C824E0860A7026148596E7D84286EB875ED989F50A5242918,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213617Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:25.270{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B415F3B0A2E0E86FC944CB7DC41E13F,SHA256=F2F285DC4F474E1AB2A0C65E031A1E1A0DF060C21DEBE1C4C6881CE2C1C643BA,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:26.730{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7960D317A6DFEDE29821B085C16CDE8D,SHA256=D60861315191C0A0360A7EE22A481A87917FCBC61F502F07F3149012E44748E2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213618Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:26.332{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC67B27C56B11E63C807FDE61938D9A2,SHA256=1987BFBE18F1F92964B9099C7D0D0E501C4C5ADCC6B0D8BAB929501B56EB5577,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213619Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:27.363{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3405E4A9A5834D8E2610ABEFBDBE1284,SHA256=F0CB6B580D0436A129E794E53277BB099D9C6B7B506038615B138873E019AD32,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:27.761{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9427FAA5AF78517517C7B2CA66F8798,SHA256=C7FB08C9B2CCC28168481F3AA987D353B74839143E82D8705EA6D20ABD558A23,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000284479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:24.724{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53175-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000213620Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:28.598{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A13D5A83189AC545CBB63505899E011,SHA256=A15501CAFA613C3C76DB0BA8BBC03B8BD3F3DEE12BDB8E0A36546BF324E91B71,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:28.814{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F57D329888A8DC12DDFD959E54542D2,SHA256=F3FF6A305AA02F7DD3B3229F29A8718A5C66706AAEDF3DFA65C57EAE22DA6D88,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213621Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:29.629{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5A8203E27CFB04BA8ED77AB51D578FD,SHA256=3444EB8F7FBE523C6442A9BF3F40483DB933E297FA31E0A40A7383E374C3DD15,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:29.829{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=668BAE49510DA1D063B09D8BC875CA39,SHA256=0A1ECC703BA6794D789CCDDC4A66349EB8D16A3F29DB7027BC78B79844B0C0F8,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213623Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:30.848{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B24BA1E102BB16B38DC67F90FBB13B8,SHA256=EF4D02DA387828D058C4733095EB3ED720ADECADAADF0F9CD36BF89D29571A78,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:30.844{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C97F2A486037BAC0D7EE310159881FD7,SHA256=4194AAA62D29502F6CD5C4D8F032CF002D241F6C5C02FC65DF2747C1EF500FDF,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213622Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:30.223{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C46BB996393CFA04AA8EF499E3649E0B,SHA256=6B97D010943DB8D6473B37496FF1D8246B177162B4FD273C96B0D870EB8FDAA2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:31.845{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79DAFB506D0714E9F90BA7C6E02F9A96,SHA256=522625C0B8A7516A142D0FBD4F5CFB7A490FCB993F1A4A0298176786AF7603B6,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213625Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:31.879{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=713A2901B3968AE43B902F6577BA8FB0,SHA256=43DD89DBD8831713C1D8B87BA7B6688427DBB2C473870669C05EA00CC33525B0,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000213624Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:28.471{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51135-false10.0.1.12-8000-
23542300x8000000000000000213627Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:32.895{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C7EB1EE3ABE973796863AE2B1051DAB,SHA256=26F431FE30A35ADE26C4703E8E0225D4727B1E5E4F42007FED7817357C867274,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:32.861{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A3237461F9F7A78EE3EB8C11C0A1CC2,SHA256=3BF8B4449CF6860C13FC053061F06B32DAF63A2C83C2FEF3032BCF4175530EC3,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213626Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:32.382{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-117MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213629Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:33.899{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF26D7A3DEF4365A7C394095E5CD13A3,SHA256=40BDCDBC3A5B2B49FC90C04C3CD1DFBE0F4EF84516473E3FE5D3F1D66F9A872D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:33.877{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3886F8E09AEA1FF94D15A68F7E950BF,SHA256=6B3F1303BF63A33DBF4E41E268100952E4E63311B16AA096089F45F46E4B3D08,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213628Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:33.381{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-118MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000284487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:30.554{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53176-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000284486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:33.230{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B6B1005DE87C92761D8A2945C916F028,SHA256=F166BBB82803136AA36CFC46A917EE6230328CAE4F249EF18E353B3030C6FBDE,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213630Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:34.899{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D105BBDA343D32C81AF35C582B910E0,SHA256=AAF3BBDC32BE41705A351A7C3B66DC2FFB999C37A2095BE4C466884885F6AAE9,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:34.895{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DAE19AFFFC0C987A3EBE701F8564070,SHA256=A9899A56D7D3BC0F5BE41E72D969991B2129F610BADF4212908E0080193CE387,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:35.914{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D7F0B0F2DF1E9FB2F87B40012971A4F,SHA256=FFCED3890FEB7AC9A543D00B8D427F40F8E214C493DD801ED74EE60A96CFD3D9,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213632Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:35.915{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75EAA6AA2B93BB911E855D046476E7BA,SHA256=56D670E7AD8B713F5FB4955A1114D4724007F39E6972EDFF737854127D3ECEFB,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000213631Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:33.586{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51136-false10.0.1.12-8000-
23542300x8000000000000000284491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:36.929{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=843F5D8DCEAFB6C8BC6D17BA7DE1075A,SHA256=1D2CD7BF86B004F837D014A7D10F4F14A2DED2CBE502463B40D1DF4C316C59D8,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213633Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:36.915{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BF3415B904DE66F70AD7A2088A5CD38,SHA256=C9104D8B6CD74C78A56456F6E34E60309AD1B7A95441001B93159A5995FB21F9,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213634Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:37.930{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ED79B863CDC45DF421C0596BD6E0930,SHA256=D1098427CB212465AA508C312014B66E56FF7EDE333735F8C23A100384BDA5D8,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:37.944{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C44241F5C8411864D0D55D13607C74A,SHA256=E28A32F45D72A194E874486918D8EDBF4DB375A87C0740971E7A5DBD0ED55A0A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213635Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:38.930{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AAAB004A8050892B69F3B76A466198C,SHA256=C9F913D46A5A2887E1D33B9E32280D2582B1B1E6D53D9DD215C8ECC9F31F9FA0,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:38.959{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E20AD5D4B019792ED0F9D0808E198EC9,SHA256=0A62E54A6E837B9FC9E6F8F126312467931045E0000E73193829EC8D7E029AF7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:39.974{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F6392C03965C8A3B9A5326FDDA6AB64,SHA256=B3FED1F155D76D537DB113C299D0DE8DE2FE2B70264D1ED5FE6C9DF2655C3E61,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213636Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:39.946{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12EB513AE56FB68D9CA09DDCD940516C,SHA256=6476BDB5D6AAE71F7B8DCA2BB7FC7FB76B59C2CFFC3247E2AC827E5B57A3D9E1,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000284495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:36.554{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53177-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000284494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:39.374{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213637Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:40.946{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80270E3CB2236D9EFDA3525895F15BB3,SHA256=AE1C692369462CA46DCD9F4933DCFBAC3A0BB1AA394DFDE7D3E040F44E3BD090,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000284504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:38.821{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53178-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089-
10341000x8000000000000000284503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:40.558{C8EA50B7-F11D-6215-0B00-000000003802}628792C:\Windows\system32\lsass.exe{C8EA50B7-F118-6215-0100-000000003802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e
10341000x8000000000000000284502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:40.558{C8EA50B7-F11D-6215-0B00-000000003802}628792C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:40.442{C8EA50B7-F11D-6215-0B00-000000003802}628792C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:40.442{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000284499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:40.295{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=6CF9A8767A7C5C3336EAAE94DD7E2785,SHA256=2D8683EA5F0648B85E1F5FE8784B32082818B6C42E179A2E3300CAF5FDC956EC,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:40.295{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=1A79FAAEC2C81CF6122ECABE22A9AB1D,SHA256=0CDEF564B765EC1044A5FF4DCDC57AAB7D2E3A62E2AA457D2B89C77C9D115552,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:40.295{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=509BA9E1023BD4FC06C0BC8063BA1873,SHA256=39058889EBF7EFBBB5E65F35E8B3268268B6B3E3AD055C0E9BD5623904581A18,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213638Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:41.962{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=163C0D5ABB24C946C96CB1F10A628851,SHA256=251FF82C2B9E4A743FCDF0EAFFC41185D60D373B6F788FB114C55F5B9D5B715E,IMPHASH=00000000000000000000000000000000falsetrue
13241300x8000000000000000284512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:33:41.749{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\6FC0DF5C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_6FC0DF5C-0000-0000-0000-100000000000.XML
13241300x8000000000000000284511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:33:41.749{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BA30863B-E0B8-488B-829D-A0E9DE6AE59C\Config SourceDWORD (0x00000001)
13241300x8000000000000000284510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:33:41.749{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BA30863B-E0B8-488B-829D-A0E9DE6AE59C\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_BA30863B-E0B8-488B-829D-A0E9DE6AE59C.XML
10341000x8000000000000000284509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:41.734{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:41.734{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000284507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:41.481{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91605D5EF26484A5CC8BDE07810C9FA8,SHA256=3FAE13C927B0E96BFA2766D8090A0EEA2B42111ABE3BDCC007D0FA4757854F18,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:41.481{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2141B5037A780B4C47BBF6BE113C0B2A,SHA256=6AEF9A806993048A73476EF9FADBDAA20949F1E4D949B76E64485578AC645713,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:41.026{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B43A5CA2675735F57CE9BB0B9B4E788D,SHA256=B4E3779EB1ED37A3A57BD182ABE2647EA86C76B16224F42595976D359EC61220,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213640Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:42.977{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=809352B78411411B9F422FB4ADD62EF3,SHA256=210EEF906B8084615165C4414F9ED3A7AAE9AA784865BF15600A8460F48F6068,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000213639Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:39.476{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51137-false10.0.1.12-8000-
354300x8000000000000000284526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:40.042{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53183-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds
354300x8000000000000000284525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:40.042{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53183-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds
354300x8000000000000000284524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:39.934{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53182-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap
354300x8000000000000000284523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:39.933{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53182-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap
354300x8000000000000000284522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:39.924{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53181-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local389ldap
354300x8000000000000000284521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:39.924{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53181-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local389ldap
354300x8000000000000000284520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:39.924{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53180-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49666-
354300x8000000000000000284519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:39.924{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53180-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49666-
354300x8000000000000000284518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:39.923{C8EA50B7-F11F-6215-0D00-000000003802}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53179-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local135epmap
354300x8000000000000000284517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:39.923{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53179-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local135epmap
10341000x8000000000000000284516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:42.580{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:42.580{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:42.580{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000284513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:42.033{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD25C2111562C2DE30A1F4FCAC84D13C,SHA256=18289F9F667DE3198FBC1E82B9780E1ECAB784267ABC273E9C9AEE8ADEA10D04,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213641Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:43.993{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35CD6F5097DE2098CB2A3A766A228916,SHA256=41654F71F48954D197EC797B066B0467FA442A8E2B2934CEDA1235D0AC817ACD,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000284540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:42.058{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53186-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap
354300x8000000000000000284539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:42.058{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53186-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap
23542300x8000000000000000284538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:43.582{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91605D5EF26484A5CC8BDE07810C9FA8,SHA256=3FAE13C927B0E96BFA2766D8090A0EEA2B42111ABE3BDCC007D0FA4757854F18,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000284537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:43.582{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:43.582{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
354300x8000000000000000284535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:41.612{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53185-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
354300x8000000000000000284534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:41.233{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:c830:d833:fbf:ffff-54276-truee000:fc:0:0:0:0:0:0-5355llmnr
354300x8000000000000000284533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:41.233{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local54276-trueff02:0:0:0:0:0:1:3-5355llmnr
354300x8000000000000000284532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:41.214{C8EA50B7-F11F-6215-0D00-000000003802}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53184-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local135epmap
354300x8000000000000000284531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:41.214{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53184-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local135epmap
10341000x8000000000000000284530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:43.419{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:43.419{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:43.419{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000284527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:43.102{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A8441ABF46E399CA0C24A6CEBB5DE51,SHA256=9FB5373D8D199E9763F815B4A3C42D55030562147C45E90C061816F64B3E64A0,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213642Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:44.993{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C15BC32284660ED576C70995842C4D0B,SHA256=0CEEF357F21ADF181CD93F758CE1363BA6165945CE7D4B1070A6D2F511A12E31,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:44.119{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC3E6E1BA69CDB047A1B08C4BFF1CC69,SHA256=B01CD5892DA465BCD4D61FC9789D8D31B9A77A87B5319319FEB2632BA292A467,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000284551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:42.897{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53187-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap
354300x8000000000000000284550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:42.897{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53187-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap
23542300x8000000000000000284549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:45.581{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\pending_pings\bcbbb622-4c3f-4d7b-b8d4-2b13bfb7f68bMD5=02213EC848451B3F02BB7EAF35036FF6,SHA256=DC737F89822027D7EF4E30066E24262565AFD0CF7C2D6AA0992A65A1247D8299,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:45.319{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\aborted-session-pingMD5=4C73FEDBE8618C3D97840B0AD31FBF69,SHA256=0AF8B2A1553B24EC2A7628C57EADDA7E9AEA64E0FAD96CC48957356550F0B542,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:45.281{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=EF09B4E57671E707683DE7EF899B69A6,SHA256=1499ABA0A57C7745C0E574A6E415C5CEF9636504DC6E4F1696DF4F787D8C0479,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:45.281{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=F20DE062BBE0C7A8438F39D9B3692106,SHA256=411E9F29A380886B6C2C2EE95C72CCC3E927F996490D65D4E27A1F6D0306CF5C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:45.265{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=76B26BBAB7D5A517D3EB8BF01D64988F,SHA256=A30F00BDCE2E73EC9384B8351C30346379D9885C10BAD68945348D0F610A9301,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:45.265{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=5C527EEC583A71E14591C5DA7405CDA0,SHA256=A347A44AA4EC8BEF48EB471E573942DB39AFB240DFCDD19393F475504CD41BE4,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:45.265{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=B4AD484BBB16EDEB346E10DAABA3FCFD,SHA256=5000C87ACED6E56197FD286C43F2986B9BA756CA42E42D8BE45C6B41C8D9E388,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:45.134{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=558564D174C400FF68B53FACFBAE128A,SHA256=83BC5358AE847BD647BEEEFC0291FFA7346787031D676F1F321274A6161D8FA8,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000213669Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.633{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0D89-6216-E103-000000003902}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213668Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.633{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213667Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.633{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213666Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.633{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213665Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.633{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213664Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.633{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213663Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.633{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213662Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.633{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213661Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.633{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213660Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.633{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213659Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.633{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0D89-6216-E103-000000003902}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000213658Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.633{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0D89-6216-E103-000000003902}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000213657Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.635{4F8D34B0-0D89-6216-E103-000000003902}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000213656Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.618{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000213655Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.133{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0D89-6216-E003-000000003902}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213654Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.133{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213653Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.133{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213652Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.133{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213651Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.133{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213650Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.133{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213649Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.133{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213648Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.133{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213647Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.133{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213646Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.133{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213645Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.133{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0D89-6216-E003-000000003902}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000213644Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.133{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0D89-6216-E003-000000003902}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000213643Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.134{4F8D34B0-0D89-6216-E003-000000003902}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
354300x8000000000000000284558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:44.834{C8EA50B7-0169-6216-B402-000000003802}4248C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53188-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https
354300x8000000000000000284557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:44.833{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local51634-
354300x8000000000000000284556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:44.831{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-65535-false127.0.0.1-53domain
354300x8000000000000000284555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:44.812{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-65535-
354300x8000000000000000284554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:44.812{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:98f0:e32b:fbf:ffff-65535-true7f00:1:0:0:0:0:0:0-53domain
23542300x8000000000000000284553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:46.150{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=720756537901EC92A3B48144191076B5,SHA256=4EC2D0AFE97362B4DBC87A8AFAD1DBCAF12581C40587CB2528505DEE695CCDBD,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213673Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:46.274{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C71EBD123762779D8028010D4D1311CA,SHA256=F2CF8205D19F4AAC870A79BEAFA499ECB32110035761E627091579437CB3F843,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213672Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:46.274{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCC20C3199EB9768BBCB399921A5B41A,SHA256=41EBC140EF14EEDB4F97FBA93F3D91767EC0D4955AFED52B5EDC21B5915AB1BE,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213671Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:46.274{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65CB46174FDF03152BEF90D67867C3D6,SHA256=DCE20E5C93DBCD2F26EDDF56AA1B80BAB046B9FD6956F4B07A0E29B7093FF488,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000284552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:46.118{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213670Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.993{4F8D34B0-0D89-6216-E103-000000003902}19362452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213701Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.915{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0D8B-6216-E303-000000003902}1172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213700Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.915{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213699Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.915{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213698Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.915{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213697Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.915{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213696Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.915{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213695Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.915{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213694Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.915{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213693Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.915{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213692Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.915{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213691Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.915{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0D8B-6216-E303-000000003902}1172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000213690Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.915{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0D8B-6216-E303-000000003902}1172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000213689Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.916{4F8D34B0-0D8B-6216-E303-000000003902}1172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x8000000000000000213688Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.415{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0D8B-6216-E203-000000003902}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213687Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.415{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213686Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.415{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213685Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.415{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213684Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.415{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213683Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.415{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213682Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.415{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213681Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.415{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213680Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.415{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213679Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.415{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213678Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.415{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0D8B-6216-E203-000000003902}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000213677Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.415{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0D8B-6216-E203-000000003902}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000213676Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.416{4F8D34B0-0D8B-6216-E203-000000003902}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000213675Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.305{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E888848BB31508B8B32C19C398019E70,SHA256=9E18BE101277351F2E412663EA4A1C85FB7B2FF61FFAAB5C30789EA59231B32A,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000284622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.966{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.966{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.966{C8EA50B7-F11D-6215-0B00-000000003802}628792C:\Windows\system32\lsass.exe{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.966{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.919{C8EA50B7-F11D-6215-0B00-000000003802}628792C:\Windows\system32\lsass.exe{C8EA50B7-0D8B-6216-8E04-000000003802}2268C:\Program Files\Mozilla Firefox\pingsender.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.919{C8EA50B7-F11D-6215-0B00-000000003802}628792C:\Windows\system32\lsass.exe{C8EA50B7-0D8B-6216-8E04-000000003802}2268C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.919{C8EA50B7-F11F-6215-0D00-000000003802}888916C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+f8c6|c:\windows\system32\rpcss.dll+1255a|c:\windows\system32\rpcss.dll+77ac|C:\Windows\System32\RPCRT4.dll+6a428|C:\Windows\System32\RPCRT4.dll+2ef79|C:\Windows\System32\RPCRT4.dll+2ed93|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.919{C8EA50B7-F11F-6215-0D00-000000003802}888916C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+f8c6|c:\windows\system32\rpcss.dll+1255a|c:\windows\system32\rpcss.dll+77ac|C:\Windows\System32\RPCRT4.dll+6a428|C:\Windows\System32\RPCRT4.dll+2ef79|C:\Windows\System32\RPCRT4.dll+2ed93|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.919{C8EA50B7-F11F-6215-0D00-000000003802}888916C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+f8c6|c:\windows\system32\rpcss.dll+1255a|c:\windows\system32\rpcss.dll+77ac|C:\Windows\System32\RPCRT4.dll+6a428|C:\Windows\System32\RPCRT4.dll+2ef79|C:\Windows\System32\RPCRT4.dll+2ed93|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.919{C8EA50B7-F11F-6215-0D00-000000003802}888916C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+f8c6|c:\windows\system32\rpcss.dll+1255a|c:\windows\system32\rpcss.dll+77ac|C:\Windows\System32\RPCRT4.dll+6a428|C:\Windows\System32\RPCRT4.dll+2ef79|C:\Windows\System32\RPCRT4.dll+2ed93|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.919{C8EA50B7-F11F-6215-0D00-000000003802}888916C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+f8c6|c:\windows\system32\rpcss.dll+1255a|c:\windows\system32\rpcss.dll+77ac|C:\Windows\System32\RPCRT4.dll+6a428|C:\Windows\System32\RPCRT4.dll+2ef79|C:\Windows\System32\RPCRT4.dll+2ed93|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.882{C8EA50B7-F11F-6215-1500-000000003802}1092100C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.835{C8EA50B7-F11F-6215-1000-000000003802}364764C:\Windows\system32\svchost.exe{C8EA50B7-0D8B-6216-8F04-000000003802}5156C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.835{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-0D8B-6216-8F04-000000003802}5156C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.820{C8EA50B7-0D8B-6216-8F04-000000003802}51563244C:\Windows\system32\conhost.exe{C8EA50B7-0D8B-6216-8E04-000000003802}2268C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000284607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.820{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=92EB96F584A7057DBF667877AAE18867,SHA256=F36DB29B6900A7B392B2856F3758944EF15A3DC2FB1CF4C514624F043CFEE90C,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000284606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.804{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-0D8B-6216-8F04-000000003802}5156C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f
23542300x8000000000000000284605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.804{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=EF09B4E57671E707683DE7EF899B69A6,SHA256=1499ABA0A57C7745C0E574A6E415C5CEF9636504DC6E4F1696DF4F787D8C0479,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000284604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.804{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.804{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.804{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.804{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.804{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-0D8B-6216-8E04-000000003802}2268C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000284599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.804{C8EA50B7-0169-6216-B402-000000003802}42485616C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-0D8B-6216-8E04-000000003802}2268C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Mozilla Firefox\xul.dll+2195b7f|C:\Program Files\Mozilla Firefox\xul.dll+2195995|C:\Program Files\Mozilla Firefox\xul.dll+21959e1|C:\Program Files\Mozilla Firefox\xul.dll+1f97402|C:\Program Files\Mozilla Firefox\xul.dll+1a149ae|C:\Program Files\Mozilla Firefox\xul.dll+1a160f2|C:\Program Files\Mozilla Firefox\xul.dll+1bde499|C:\Program Files\Mozilla Firefox\xul.dll+179ae0c|C:\Program Files\Mozilla Firefox\xul.dll+13b7d2|C:\Program Files\Mozilla Firefox\xul.dll+154551e|UNKNOWN(000001D1D5754AA0)
154100x8000000000000000284598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.808{C8EA50B7-0D8B-6216-8E04-000000003802}2268C:\Program Files\Mozilla Firefox\pingsender.exe97.0.1-FirefoxMozilla Foundationpingsender.exe"C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/telemetry/1868edc7-c857-4cda-bf8d-c3c683167443/event/Firefox/97.0.1/release/20220216172458?v=4 C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\saved-telemetry-pings\1868edc7-c857-4cda-bf8d-c3c683167443 https://incoming.telemetry.mozilla.org/submit/telemetry/7a931ddd-ad59-42aa-8f07-8e0b9ff26739/main/Firefox/97.0.1/release/20220216172458?v=4 C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\saved-telemetry-pings\7a931ddd-ad59-42aa-8f07-8e0b9ff26739C:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32MediumMD5=02AB913D3540422BFA0A676B861403F0,SHA256=9C14E91757BD1A4F8F2AC4B3F9D6294A8250C8DA03A110D358A6C785B56A273A,IMPHASH=AF27FA7223A9B6FE80447A0E6715E632{C8EA50B7-0169-6216-B402-000000003802}4248C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"
23542300x8000000000000000284597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.804{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\aborted-session-pingMD5=ACC81F4E82D7168A6C94A58AAF0D5E91,SHA256=7DC13A04E37A10229BE461C7966ABEF55B25379F13034B09D98CD7274DB82685,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.751{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage.sqlite-journalMD5=96BB172370367CCA60870763CC50221A,SHA256=C5799C3480BF879AB36EC359CE2D34F31B2C6F80568EB4E4B303165F6895EEBB,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.735{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-walMD5=04792AB6DB83E2AD3CA851DDA7DB1E3C,SHA256=4ADA47CC311C530BE18868F0D452AAD291A45F6743C39872FE9F7561127DAA5A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.735{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=4B69EABCB44AE2CB38D074D2F5BF014B,SHA256=C886DDB107FC27A4F7323D45D5FC6CA9D22210E29412A78E35F2A0F339F04A04,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.719{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\xulstore.jsonMD5=C0AA4F6F7078705CF225CC9703918D17,SHA256=C27A69EBDC4BF33CDA12D758E155B64789F68B2FB69C33694314A7BD7096330A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.719{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.719{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\favicons.sqlite-walMD5=DCA86FF68E85D8F8DA92415B6B773A45,SHA256=FA4A1EF2B7020A639EB1ABAB208BA02F37EF7678E8570EFA7391F193EBB51480,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.704{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\favicons.sqlite-shmMD5=1033E1498707219F197623C123FDD7B5,SHA256=7EB6D6BE30DFDCACC17157C40052B80F96580AF770C5E0DAB07011C7A1615879,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.704{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\places.sqlite-walMD5=6F61353C5EE0409F30B6060E76D164A7,SHA256=8FF922243F76EC40526E716109CA776DBAFCD0C119E5EF207F4F547D3E014952,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.682{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\places.sqlite-shmMD5=031633A3C890A5CB129F2392827367F8,SHA256=C54561CA2E757C1E8DCA0AF8B8BE7E43BB5113E60CDCE839A2B2A240E8EAC72A,IMPHASH=00000000000000000000000000000000falsetrue
17141700x8000000000000000284587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 10:33:47.650{C8EA50B7-0169-6216-B402-000000003802}4248\chrome.4248.27.10774680C:\Program Files\Mozilla Firefox\firefox.exe
17141700x8000000000000000284586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 10:33:47.650{C8EA50B7-0169-6216-B402-000000003802}4248\chrome.4248.26.61084029C:\Program Files\Mozilla Firefox\firefox.exe
17141700x8000000000000000284585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 10:33:47.650{C8EA50B7-0169-6216-B402-000000003802}4248\chrome.4248.25.59240354C:\Program Files\Mozilla Firefox\firefox.exe
17141700x8000000000000000284584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 10:33:47.650{C8EA50B7-0169-6216-B402-000000003802}4248\chrome.4248.24.118981635C:\Program Files\Mozilla Firefox\firefox.exe
23542300x8000000000000000284583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.635{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\cookies.sqlite-walMD5=007A4FE2F1859938790B71050EE83E01,SHA256=E36EEB47D52C48FD9AEDDE3FCD018C77429DA7639B53CC1B25D289EE32524DE5,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000284582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.619{C8EA50B7-0169-6216-B402-000000003802}42485616C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-018A-6216-C502-000000003802}4360C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2bd60|C:\Program Files\Mozilla Firefox\xul.dll+e38a9d|C:\Program Files\Mozilla Firefox\xul.dll+e32cb9|C:\Program Files\Mozilla Firefox\xul.dll+e28dfc|C:\Program Files\Mozilla Firefox\xul.dll+1f97402|C:\Program Files\Mozilla Firefox\xul.dll+1a149ae|C:\Program Files\Mozilla Firefox\xul.dll+1a160f2|C:\Program Files\Mozilla Firefox\xul.dll+1bde499|C:\Program Files\Mozilla Firefox\xul.dll+179ae0c|C:\Program Files\Mozilla Firefox\xul.dll+129873|C:\Program Files\Mozilla Firefox\xul.dll+126c0cc|C:\Program Files\Mozilla Firefox\xul.dll+1be862b|C:\Program Files\Mozilla Firefox\xul.dll+1bdeaf8|C:\Program Files\Mozilla Firefox\xul.dll+179ae0c|C:\Program Files\Mozilla Firefox\xul.dll+1749117|UNKNOWN(000001D1D5751E54)
10341000x8000000000000000284581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.619{C8EA50B7-0169-6216-B402-000000003802}42485616C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-0175-6216-C002-000000003802}5104C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2bd60|C:\Program Files\Mozilla Firefox\xul.dll+e38a9d|C:\Program Files\Mozilla Firefox\xul.dll+e32cb9|C:\Program Files\Mozilla Firefox\xul.dll+e28dfc|C:\Program Files\Mozilla Firefox\xul.dll+1f97402|C:\Program Files\Mozilla Firefox\xul.dll+1a149ae|C:\Program Files\Mozilla Firefox\xul.dll+1a160f2|C:\Program Files\Mozilla Firefox\xul.dll+1bde499|C:\Program Files\Mozilla Firefox\xul.dll+179ae0c|C:\Program Files\Mozilla Firefox\xul.dll+129873|C:\Program Files\Mozilla Firefox\xul.dll+126c0cc|C:\Program Files\Mozilla Firefox\xul.dll+1be862b|C:\Program Files\Mozilla Firefox\xul.dll+1bdeaf8|C:\Program Files\Mozilla Firefox\xul.dll+179ae0c|C:\Program Files\Mozilla Firefox\xul.dll+1749117|UNKNOWN(000001D1D5751E54)
10341000x8000000000000000284580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.619{C8EA50B7-0169-6216-B402-000000003802}42485616C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-0174-6216-BF02-000000003802}3332C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2bd60|C:\Program Files\Mozilla Firefox\xul.dll+e38a9d|C:\Program Files\Mozilla Firefox\xul.dll+e32cb9|C:\Program Files\Mozilla Firefox\xul.dll+e28dfc|C:\Program Files\Mozilla Firefox\xul.dll+1f97402|C:\Program Files\Mozilla Firefox\xul.dll+1a149ae|C:\Program Files\Mozilla Firefox\xul.dll+1a160f2|C:\Program Files\Mozilla Firefox\xul.dll+1bde499|C:\Program Files\Mozilla Firefox\xul.dll+179ae0c|C:\Program Files\Mozilla Firefox\xul.dll+129873|C:\Program Files\Mozilla Firefox\xul.dll+126c0cc|C:\Program Files\Mozilla Firefox\xul.dll+1be862b|C:\Program Files\Mozilla Firefox\xul.dll+1bdeaf8|C:\Program Files\Mozilla Firefox\xul.dll+179ae0c|C:\Program Files\Mozilla Firefox\xul.dll+1749117|UNKNOWN(000001D1D5751E54)
23542300x8000000000000000284579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.619{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\cookies.sqlite-shmMD5=8AFDC709E073C996DDE9813C4964F305,SHA256=92770B7CFF0D6AF92CC6F7AAE2A1861A841FF63FAA8DE72C3FE8891E71942210,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000284578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.619{C8EA50B7-0169-6216-B402-000000003802}42485616C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-016A-6216-B702-000000003802}1800C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2bd60|C:\Program Files\Mozilla Firefox\xul.dll+e38a9d|C:\Program Files\Mozilla Firefox\xul.dll+e32cb9|C:\Program Files\Mozilla Firefox\xul.dll+e28dfc|C:\Program Files\Mozilla Firefox\xul.dll+1f97402|C:\Program Files\Mozilla Firefox\xul.dll+1a149ae|C:\Program Files\Mozilla Firefox\xul.dll+1a160f2|C:\Program Files\Mozilla Firefox\xul.dll+1bde499|C:\Program Files\Mozilla Firefox\xul.dll+179ae0c|C:\Program Files\Mozilla Firefox\xul.dll+129873|C:\Program Files\Mozilla Firefox\xul.dll+126c0cc|C:\Program Files\Mozilla Firefox\xul.dll+1be862b|C:\Program Files\Mozilla Firefox\xul.dll+1bdeaf8|C:\Program Files\Mozilla Firefox\xul.dll+179ae0c|C:\Program Files\Mozilla Firefox\xul.dll+1749117|UNKNOWN(000001D1D5751E54)
11241100x8000000000000000284577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.619{C8EA50B7-0169-6216-B402-000000003802}4248C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\SiteSecurityServiceState.txt2022-02-22 11:23:49.748
23542300x8000000000000000284576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.619{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\webappsstore.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.619{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\SiteSecurityServiceState.txtMD5=DFAF67DAB625DDFE875EEB684D6DCEA5,SHA256=BF72D23ABF4C5791D620A82A961015B42B05BB47FA92B116B4356A44F3F2918B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.603{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000284573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.582{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-0169-6216-B402-000000003802}4248C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
17141700x8000000000000000284572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 10:33:47.582{C8EA50B7-0169-6216-B402-000000003802}4248\chrome.4248.23.34576852C:\Program Files\Mozilla Firefox\firefox.exe
17141700x8000000000000000284571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 10:33:47.566{C8EA50B7-0169-6216-B402-000000003802}4248\chrome.4248.22.57848119C:\Program Files\Mozilla Firefox\firefox.exe
23542300x8000000000000000284570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.566{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\sessionstore-backups\recovery.jsonlz4MD5=F4AD3687A0E1A9F87CECC38268B77689,SHA256=45B20C6622535B7A2AAA292680172E098BCC5D245B7C6A5C91DFF4AFE43DDFEF,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.566{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\sessionstore-backups\recovery.baklz4MD5=AC30B39212B38CAA30C47558287D4CA8,SHA256=DC2142694DDCD4E84B6708A81E41E8FF3E5B9C0C300266283816A3549B19A711,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000284568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.535{C8EA50B7-0169-6216-B402-000000003802}42485616C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-0171-6216-BE02-000000003802}5264C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2bd60|C:\Program Files\Mozilla Firefox\xul.dll+e38a9d|C:\Program Files\Mozilla Firefox\xul.dll+e38528|C:\Program Files\Mozilla Firefox\xul.dll+840734|C:\Program Files\Mozilla Firefox\xul.dll+834311|C:\Program Files\Mozilla Firefox\xul.dll+19c76f6|C:\Program Files\Mozilla Firefox\xul.dll+19c6153|C:\Program Files\Mozilla Firefox\xul.dll+168ec17|C:\Program Files\Mozilla Firefox\xul.dll+1f97402|C:\Program Files\Mozilla Firefox\xul.dll+1a149ae|C:\Program Files\Mozilla Firefox\xul.dll+1a160f2|UNKNOWN(000001D1D5772FAA)
10341000x8000000000000000284567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.519{C8EA50B7-0169-6216-B402-000000003802}42485616C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-016A-6216-B702-000000003802}1800C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2bd60|C:\Program Files\Mozilla Firefox\xul.dll+e38a9d|C:\Program Files\Mozilla Firefox\xul.dll+e38528|C:\Program Files\Mozilla Firefox\xul.dll+840734|C:\Program Files\Mozilla Firefox\xul.dll+834311|C:\Program Files\Mozilla Firefox\xul.dll+19c76f6|C:\Program Files\Mozilla Firefox\xul.dll+19c6153|C:\Program Files\Mozilla Firefox\xul.dll+168ec17|C:\Program Files\Mozilla Firefox\xul.dll+1f97402|C:\Program Files\Mozilla Firefox\xul.dll+1a149ae|C:\Program Files\Mozilla Firefox\xul.dll+1a160f2|UNKNOWN(000001D1D5772FAA)
10341000x8000000000000000284566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.419{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-F33D-6215-E300-000000003802}4920C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.419{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-F33D-6215-E300-000000003802}4920C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.419{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-F33D-6215-E300-000000003802}4920C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.403{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F33D-6215-E300-000000003802}4920C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.403{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F33D-6215-E300-000000003802}4920C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.403{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F33D-6215-E300-000000003802}4920C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.403{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F33D-6215-E300-000000003802}4920C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000284559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.150{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E213DB1E63BBB5B73B83737A63A516E,SHA256=A177A502595D5CC551F178514F5C579E8C7BD92D6FA4E3B554AFE7BC00857B08,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000213674Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.039{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51138-false10.0.1.12-8089-
23542300x8000000000000000213705Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:48.555{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9007C5B4EF97C0ACC31BDE30B373DB66,SHA256=04A01841278B26068CABE3637FF72D563D5151AA96CB54471B4F826C83611B12,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:48.972{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=147BF6AED78C90D4E8729782945B89A2,SHA256=4014BD6EA7EC1755A05C5079ABEFA9A3CFDC1FF52AD643FD05FFEF4B5D667E2D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:48.972{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=FDEE84B7B4903F583BE8368BC20B2BE8,SHA256=A38E570B807ACE277043BF35EDFFDA978C57FA07A211BF4AD8653937634DE931,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:48.816{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1FD42EABDC9CBFA38D9DCC5F2EC54E5,SHA256=DDE8C407FBD46C41EB061EACDC81D5F66C1A111546FC5484330C41CBB85FE8EB,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:48.816{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1467D21D6FC55E3855EA46B70B0CF364,SHA256=4F5BDBBF3B2B8BF16A150706B7979B7A78ED9B0D3F8F777525EE636E0DBA4043,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:48.457{C8EA50B7-0D8B-6216-8E04-000000003802}2268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\pingsender.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\saved-telemetry-pings\7a931ddd-ad59-42aa-8f07-8e0b9ff26739MD5=03FC511A460342CD4DEFA581F767DF39,SHA256=2C27BC12A0779B892912C7A11C7BA1EEB29E7F5926F963BE674214512220BAC7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284625Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:48.238{C8EA50B7-0D8B-6216-8E04-000000003802}2268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\pingsender.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\saved-telemetry-pings\1868edc7-c857-4cda-bf8d-c3c683167443MD5=A52B87F27ACAD5B5FD356CF64E6370C7,SHA256=78F1FEA1C3D6ADAA352E8D8082491FD7B3FB62A6A8FEB3A5BB2553D7BBCBCAD7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:48.238{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73CF47D03B906CECCC19BC169FE2F225,SHA256=434418EFB8238DD765AF641E28BC24D55DBCC19AE3B1BC2C966C5EC0E403E002,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:48.222{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CCC0447FD4B279FA8C12FB02A3670EE,SHA256=13B14485AF0921F60EAD1DBB6D765F2DC69229F1D3C363F8D08409AA50AA20B7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213704Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:48.415{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C71EBD123762779D8028010D4D1311CA,SHA256=F2CF8205D19F4AAC870A79BEAFA499ECB32110035761E627091579437CB3F843,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000213703Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:48.165{4F8D34B0-0D8B-6216-E303-000000003902}11722372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
354300x8000000000000000213702Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.508{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51139-false10.0.1.12-8000-
10341000x8000000000000000213733Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.946{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0D8D-6216-E503-000000003902}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213732Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.946{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213731Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.946{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213730Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.946{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213729Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.946{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213728Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.946{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213727Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.946{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213726Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.946{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213725Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.946{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213724Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.946{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213723Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.946{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0D8D-6216-E503-000000003902}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000213722Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.946{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0D8D-6216-E503-000000003902}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000213721Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.947{4F8D34B0-0D8D-6216-E503-000000003902}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x8000000000000000213720Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.680{4F8D34B0-0D8D-6216-E403-000000003902}5283928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000213719Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.602{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C1B44C3FFB67009091EB632DAB08C72,SHA256=DD55CCE0A4F2C592CB06198861DF212EDC4002DE13422BAAD7225423F78D768E,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000284632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.576{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53190-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000284631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:49.238{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=747FAAE672B17B5CFD28210C7BDE930D,SHA256=AD2D9D0264D923DF1CA827206FC86FE1F8D4C404E5086D8C04E3446A3456733C,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000213718Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.321{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0D8D-6216-E403-000000003902}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213717Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.321{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213716Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.321{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213715Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.321{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213714Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.321{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213713Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.321{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213712Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.321{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213711Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.321{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213710Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.321{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213709Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.321{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213708Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.321{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0D8D-6216-E403-000000003902}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000213707Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.321{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0D8D-6216-E403-000000003902}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000213706Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.322{4F8D34B0-0D8D-6216-E403-000000003902}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000213736Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:50.618{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=414FDB35BD8396E6BED848380DAFF9C7,SHA256=5AD19CA7F576DD0F944EB93063A2DACA6FE9945E4468E64253BCF52995044379,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:50.992{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-117MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000284634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.485{00000000-0000-0000-0000-000000000000}2268<unknown process>-tcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53189-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https
23542300x8000000000000000284633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:50.363{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F7610EFF5CC28630008B50EF5F9CC9F,SHA256=4419CD3CED76D605EB454047487ABA881D183F430736A12B70441431457C66D6,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213735Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:50.321{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32CBE314A5B30CFBA83BCC2D4F37F53A,SHA256=C530B6F80BF08990DA0E3D78CC3F34137BD3E2B84CD1443A43C6456B6929AEE0,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000213734Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:50.180{4F8D34B0-0D8D-6216-E503-000000003902}32642680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000213750Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:51.759{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3D1000277002A405017334A8904A92B,SHA256=E7DCCBA68A65AA8DFFE868130AB6E95D80BCBDADA963EF99F0D036820153371F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:51.421{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16696309BC2A0F5639B24993197260DF,SHA256=97E3CDF9B0B23514907E0E185CA112C0CF392987BA9D3BEB65B2F8C13F91A429,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000213749Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:51.649{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0D8F-6216-E603-000000003902}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213748Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:51.649{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213747Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:51.649{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213746Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:51.649{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213745Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:51.649{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213744Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:51.649{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213743Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:51.649{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213742Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:51.649{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213741Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:51.649{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213740Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:51.649{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213739Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:51.649{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0D8F-6216-E603-000000003902}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000213738Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:51.649{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0D8F-6216-E603-000000003902}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000213737Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:51.650{4F8D34B0-0D8F-6216-E603-000000003902}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000213752Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:52.961{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDFA7F77C1CD733C2E43B97A8149E8E1,SHA256=FB5C42B41A9E4BA23974A01B17ACE928FE24178DF64E945E7A768FC2683832D7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:52.435{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68CEFB775DAA0D31A75F53122BFA2B4F,SHA256=C41BCACD405DE02A5259F4AA98DA587BE68903CC014A4BE5B3CEE50629DCDD7F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213751Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:52.680{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F75FF7BD0B5767A1F384F4E7D6427C60,SHA256=3A2EC0C39E605E5789E567EE34DC6325F3664DBF91358958DD957CF63D28C896,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:52.294{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1FD42EABDC9CBFA38D9DCC5F2EC54E5,SHA256=DDE8C407FBD46C41EB061EACDC81D5F66C1A111546FC5484330C41CBB85FE8EB,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:52.000{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-118MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:53.438{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8FFCBCDF4D0D217130F91966875BEC4,SHA256=B8AF624765579AC8FC4ADF342A59E24D0DB7C69FA31CA1E28A18862EDD296A8A,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000213753Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:50.586{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51140-false10.0.1.12-8000-
23542300x8000000000000000284648Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:54.438{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0AEA4E94855B61FF884CB291CF03917,SHA256=A3DAF815D941FD59BDECBCD40934699429710DC0FD905A4EC5B47AC6F3EF483E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213754Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:54.024{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA9E8808DDE04CF4D3051DEC76430770,SHA256=B7E67A16AD55C3346FB4B7E7B7D0892E50BA2900B3FC87FA6E1814ACD8BC00E0,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000284647Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:54.328{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-F674-6215-5C01-000000003802}6072C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284646Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:54.328{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-F674-6215-5C01-000000003802}6072C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:54.328{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-F674-6215-5C01-000000003802}6072C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:54.313{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F674-6215-5D01-000000003802}5016C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:54.313{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F674-6215-5D01-000000003802}5016C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:54.313{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F674-6215-5D01-000000003802}5016C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:54.313{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F674-6215-5D01-000000003802}5016C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
354300x8000000000000000284650Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:53.525{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53191-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000284649Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:55.453{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D04C94E411871ED6B1CA25D97C497CE6,SHA256=740C7743163741DE9D5778AD5AF96DA17881426CB51961AD6622D44B1705625E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213755Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:55.055{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DC6A87C8249DBA52179246F31B67E71,SHA256=5EF8721993161A1F478602D862CB47AA88BB90757276B943DEA1D2ED154B07D0,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284651Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:56.485{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ACF4248C3D66884CA38D5D2907BBFC8,SHA256=DB2E9EAF89ED41CDD9A1FFAB1FFF1CC7E3424AA3122C0BE5350551F0516B8014,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213756Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:56.071{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C9EDC6B42BA9130C8976DD5E4FFA348,SHA256=5AE31FA1197C771F737FA56F28BAEC8BEE2684A5812579DAC37FF283C585F0D2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284652Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:57.500{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC14D49F085471F29083C365AE03FF68,SHA256=27F9C88A26BE42CADC19F32482D308E0B80FF852EFA8D7F6A8350A69E8FA6C44,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213757Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:57.086{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03A51BA5E73B2471020C283476355402,SHA256=E5B007D0F226B1F42723770C1FCF73D6F84B6E102BC10859806F2AAD358B5CBA,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284653Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:58.516{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D36EA80F58A808F31FB98DA0DB3F329,SHA256=1B7780BD1B5C5C08747B74051E80D2501F304AF7E7E2FAFDE77606C30BE31797,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000213759Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:56.570{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51141-false10.0.1.12-8000-
23542300x8000000000000000213758Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:58.164{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDDFE71553BFDCCE1B8C4A9C9D25F461,SHA256=B3266343250AD0B30DC9F38F5CDBEECD26610F8A9BCF891318976066021928EA,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284654Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:59.532{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BCBCDFF5EF4A163678F385812FBA338,SHA256=D957BA13EA3BAD25EB013A71301A5222EC5729F05483FCB9A220C4436263E8D2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213760Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:59.336{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C83031637DBBBE9E6F569177AECAD29,SHA256=26BE057E691CE8F46B569D0A3B13B0BBCD4BB2CB9C62FFDD7DA4D2E466D1CD02,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284655Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:00.594{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE1C897CCEFB4632A947EDD27D271DB7,SHA256=D3E11BD07A9EE0F47C54103E6A68D81457282EBC169B7FAF07576D44F044EC29,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213761Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:00.399{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A951DDDC0B4D74588A7989CF79B2599,SHA256=86E0F5E98841F28400DCFC01CE342AA73B6233750F960B9B0125780EC930C795,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213762Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:01.618{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=700BE90845FBD8A7C6FABE66DFF0CDD9,SHA256=C0F2631E87EB548A770565490FE71E49C5B652492D5A04E523CE0CE41A7E7722,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284656Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:01.594{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B4A4529B0CBE5767A579A511FD3374C,SHA256=9BA20F0313943067CFDCC8C1ED7E23E1E6B88A940AF8DC8104521ECD390A3DED,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213763Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:02.633{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31BD56641D40CECB499EDCF6286841D3,SHA256=3A9A7D5F9B4249B8535E6E16C3DBB6B8DAF17A2FFBC27990C1296FE4DB95CA9C,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000284675Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.703{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0D9A-6216-9104-000000003802}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284674Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.703{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284673Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.703{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284672Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.703{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284671Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.703{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284670Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.703{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-0D9A-6216-9104-000000003802}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000284669Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.703{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0D9A-6216-9104-000000003802}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000284668Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.704{C8EA50B7-0D9A-6216-9104-000000003802}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000284667Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.610{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20D1795096C473241CAFAAC2A40DDB5E,SHA256=27FC5D157BC3E9049222CFCE5002804044B6088504CF16BF803B6CBC38706E2E,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000284666Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.453{C8EA50B7-0D9A-6216-9004-000000003802}43645864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284665Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.188{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0D9A-6216-9004-000000003802}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284664Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.188{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284663Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.188{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284662Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.188{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284661Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.188{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284660Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.188{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-0D9A-6216-9004-000000003802}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000284659Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.188{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0D9A-6216-9004-000000003802}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000284658Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.189{C8EA50B7-0D9A-6216-9004-000000003802}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
354300x8000000000000000284657Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:59.556{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53192-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000213765Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:03.727{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1C13A158A9A07521AE50D754D176F02,SHA256=8C8416AF54B70BE9ABDBDFB0537D99A37DF746A17705EB616DA2AED2E0B5C50D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284678Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:03.688{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37863969DC8F7356BDDCC892BB40B4FD,SHA256=81A0CEB0BD930E7F3FC5311088C1D6671F60BC70F1FF7B1303CD9EAF93E4B7F5,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000213764Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:01.601{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51142-false10.0.1.12-8000-
23542300x8000000000000000284677Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:03.203{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3833AB64C1038153AE483919B6885FCB,SHA256=798718CAC6A0E6D9F54EFE6DAEFEDDE7E332177EE47F3B338BB0F32DA2C3A2EA,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284676Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:03.203{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94C217D1BB3E5963A0DF12D4DC173C82,SHA256=D739C3B76CA5E47CA22FC558A77934D920B5DA1231EFEAB227AE34E001D4B784,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213766Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:04.946{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C49EEAD991FF382CB772A5CC4637C678,SHA256=4AC147D8B93F079B56932A32D70060F834BD310657738961AB8A3319CE34400C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284688Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:04.703{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F003663400F72ABF14F121ACBCED1604,SHA256=E93F800BF3AE349B673EFA9B5ED0E2544EB7BFC8B5AFBFC8CD0FECF69C1E0476,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284687Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:04.610{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3833AB64C1038153AE483919B6885FCB,SHA256=798718CAC6A0E6D9F54EFE6DAEFEDDE7E332177EE47F3B338BB0F32DA2C3A2EA,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000284686Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:04.266{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0D9C-6216-9204-000000003802}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284685Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:04.266{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284684Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:04.266{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284683Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:04.266{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284682Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:04.266{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284681Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:04.266{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0D9C-6216-9204-000000003802}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000284680Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:04.266{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0D9C-6216-9204-000000003802}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000284679Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:04.267{C8EA50B7-0D9C-6216-9204-000000003802}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000284691Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:05.704{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73CD9E7EBCE003F4C23F5B30A3D68229,SHA256=93E53DB727C201D982787B86F390E8AE12508C3D0E2A02861F9C46A486715CBC,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000284690Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:03.057{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53193-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap
354300x8000000000000000284689Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:03.057{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53193-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap
23542300x8000000000000000284692Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:06.719{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E6D0DFBB6EA121E791159DB4E8A98B0,SHA256=5F902F8E8EB9DC0C10FAC35EC2AA4227C5AFBB908FA3D9FEB4F135C26B9F868E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213767Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:06.180{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0262F55DB8BD5C3F8E883C53832DB4E,SHA256=34E81ECABA457B03B5B99D8B77A247D51436CB2F42EADBDE63E1793D48F42AF3,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284693Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:07.735{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D1A792175F323DCBA269D91202B6D1A,SHA256=85319A8AE61C00A093B9C4B221520FDE49E708F7D016806704AB4CAC05F8B5A4,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213768Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:07.258{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12EE3277EEA1C9279AC50AEA2FE47C38,SHA256=E2693EBDB68693B9FCDFEF50C6F6800709797D5B0ED413762820CB397E8F6959,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284695Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:08.766{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25C87799BC33F49295CB9E065848EBD6,SHA256=C65A00053876CA5FE726A993E80AEF4DB8C24453BE19BF0D0E8A9F70189E66C3,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000213770Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:06.601{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51143-false10.0.1.12-8000-
23542300x8000000000000000213769Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:08.258{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A47D6B856B0F73D4302F11A86884FC7,SHA256=3FB0E35F346F28B4395833F3F0C3A83F31EECE51F89E5C2480FBBBC06EE7FA6B,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000284694Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:05.619{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53194-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000284696Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:09.782{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E12F73C2BDB54088B8CCEBD61DA2C6F,SHA256=AB3810700C437ABEFC84D66721EBF01F7FC6A60D9A675F9FF7DF3F177B6324B6,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213771Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:09.274{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=438AE0399929C0EE12D538DCB04FBF36,SHA256=31701BB564FFB4B8B4CDAF0C61B704EC535445301F1877E831E50A42AB2AB2A9,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284697Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:10.813{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7A457742B937EAF2F1FA3B810F9744D,SHA256=CC5FCDC312BE6439687590708F53D90EDA073EF3BB935D17832201752A9E4CCA,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213772Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:10.290{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5345D2AB6472EA633CDA4A3483B1B2DC,SHA256=F4F962B5640A1442E3BEF02590094475E23C5506775160DF9455F7093E51A500,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284698Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:11.828{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8CD7D2F2D14B8D73AEEF4F3AEFB87F5,SHA256=D6329745D18C9F7F589DA819C35C9ACC472087FA95DA908FFC65BDA8ACA8B774,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213773Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:11.539{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99ACC410DA31BA2733D7C469D2EA9C45,SHA256=5B58AC895A9DF6AF8B4364DC4744EDDAE4C708178E3BE2549853D1FE9A00D79B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284699Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:12.860{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F24D2F2A3705FD727CCB45BAA578DA88,SHA256=059839087619AB777DAD8F63D4FE4BCF7C65B025916E8D25C5B3A2FC7C1CCDFD,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213774Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:12.539{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9845CC71D36DEDAA1834B42ED741B8D7,SHA256=CFD6F09DB8ED8975CF2A27701DD213BFD0E4A4F2ACE52066CAA5E488F09F028F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284700Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:13.875{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0A5DD684955A75B4BD6F16693BB8A1F,SHA256=B52AE2C1CEB32566B7EB2F9D4C4803F968E4B67FFA0BEEDEB6AEE31F961A2206,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213775Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:13.664{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=471D5D1633C750262B7F9A000A343BEB,SHA256=E5B04BECA4B7D8DED7654FA42B7EDC6D42555E2039DC09618E5929677C810B5E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284702Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:14.891{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=345505C795E5C9EAA0BC0A1242C78950,SHA256=F09D541D6A44455296DCDEEEA60849F7CF9ACC525468C295A3E1CC75C80437C4,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000213777Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:12.648{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51144-false10.0.1.12-8000-
23542300x8000000000000000213776Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:14.742{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04782E1AB3EA715D20EB965B57A27A3A,SHA256=2CDA3A39AB0657B013FF86A870C299C539F8BA16A9B1B975F6971749BD73C8E3,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000284701Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:11.541{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53195-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000284703Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:15.907{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E28248668883C8CF6A9C6B6E1F194CCA,SHA256=8C628099E2D8BCD112AB485AC2591C7D364EDA3E44A8070DD6820C39112744B1,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213778Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:15.789{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7C8E3F11BDF85A566A71F2DF9DF39D6,SHA256=EE8D21E2BAE81C14B42FC7A48BA9EF33F42A6FA0570778D3DD2511DD0A9E28A7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284704Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:16.923{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A96B04A11B21906ACF6850BB288E0E6,SHA256=D60A7D3482C9058CC8D1C18EB70933718F14035018484F9FF5A11170F2C4FDBC,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213779Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:16.805{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF030374AA3777C299A439E2D08FDDF4,SHA256=46D6F8823295C6B8D90FA9CD6D1D10CC0CE07C1DEAD5A261411CFA6843D36376,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284705Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:17.969{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EC8DBF1F41CF3EE3FB6D16662190036,SHA256=7CF29E640F630B3D78D85930F0DC592AF1F0EA8F9AD0669CBD15967DFF5322BF,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213780Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:17.836{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BB6E0A685FF23823E236B2CEE49C222,SHA256=9D711217E715F1F14ED012C06340C9686915EC0E2885909B759D91C021A66435,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213781Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:19.055{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E855A446D98005BF6B458CA6519A649,SHA256=C21F564744215CF4E78E5CC23D1D5F928323D73BE0E2C9DB65F6AAA83F7CD67F,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000284715Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:16.728{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53196-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
10341000x8000000000000000284714Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:19.766{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0DAB-6216-9304-000000003802}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284713Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:19.766{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284712Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:19.766{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284711Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:19.766{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284710Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:19.766{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284709Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:19.766{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0DAB-6216-9304-000000003802}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000284708Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:19.766{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0DAB-6216-9304-000000003802}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000284707Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:19.767{C8EA50B7-0DAB-6216-9304-000000003802}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000284706Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:19.016{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=637125A336FA152C6F8338DE38626318,SHA256=EA136A72FE8DB2A05F518E9CADD433CBDEFC05FB44165873A4E575E63C04D7A6,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284728Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:20.813{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D87EF74F352C87D9EB9C459AF242EE6E,SHA256=F1A9EDADD41B123FF2048EA1AB78453BFDF68012A22DD421DAD90DE0DD06FAE1,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284727Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:20.813{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD57A866B355F3CE25B7E8D703B49E2A,SHA256=EC6BC6177E0619EB67E062C16B01B8A8062C4AD2FCD3E1185E53C0D65663B6A8,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000284726Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:20.610{C8EA50B7-0DAC-6216-9404-000000003802}61126028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284725Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:20.407{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0DAC-6216-9404-000000003802}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284724Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:20.407{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284723Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:20.407{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284722Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:20.407{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284721Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:20.407{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284720Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:20.407{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-0DAC-6216-9404-000000003802}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000284719Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:20.407{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0DAC-6216-9404-000000003802}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000284718Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:20.407{C8EA50B7-0DAC-6216-9404-000000003802}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x8000000000000000284717Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:20.157{C8EA50B7-0DAB-6216-9304-000000003802}51645968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000284716Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:20.048{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F8DA5D1193E1C45705208625D48B5B2,SHA256=E3441001A0228FA4BB9C43EBD7E2C6E0F779CCB38DDC1B337AA82E0E82066BE6,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213782Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:20.086{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64596C99F52F5CF1002C525EA1559789,SHA256=3082D441016FF274743F0565396FB9B73FF5DBF1F5FB4B593E8E9E19C07D550D,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000284746Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.578{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0DAD-6216-9604-000000003802}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284745Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.578{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284744Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.578{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284743Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.578{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284742Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.578{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284741Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.578{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-0DAD-6216-9604-000000003802}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000284740Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.578{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0DAD-6216-9604-000000003802}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000284739Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.579{C8EA50B7-0DAD-6216-9604-000000003802}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x8000000000000000284738Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.391{C8EA50B7-0DAD-6216-9504-000000003802}47765596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000284737Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.188{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D53AE1CDE1C19B7A390FAAA0FF0073B,SHA256=A8B4E2FE6D3B475FBF691A22F9A569C60666D83AC2502FFA369B920A849472C4,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213784Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:21.102{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C075EC087669F795016595D60706069A,SHA256=49826B9A652E3904DBECC2C9BFC0DB180031E74C5CCB69F9BA81914E70154EAA,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000284736Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.078{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0DAD-6216-9504-000000003802}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284735Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.078{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284734Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.078{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284733Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.078{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284732Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.078{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284731Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.078{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-0DAD-6216-9504-000000003802}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000284730Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.078{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0DAD-6216-9504-000000003802}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000284729Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.079{C8EA50B7-0DAD-6216-9504-000000003802}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
354300x8000000000000000213783Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:18.526{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51145-false10.0.1.12-8000-
23542300x8000000000000000284748Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:22.188{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D3248FC1DADDD538BB66FB8E48BA546,SHA256=2F5560F0DECB56BA52F844EBF3748965CFD35F36F564B186D55C3E1CAD3D10F2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213785Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:22.133{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A616AF98908CC34CCA349A480E7D2FE7,SHA256=1D84FA2EBE032D3FA17E3963F55307130BCD3D0082A40A639DA74C05A47EC786,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284747Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:22.094{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D87EF74F352C87D9EB9C459AF242EE6E,SHA256=F1A9EDADD41B123FF2048EA1AB78453BFDF68012A22DD421DAD90DE0DD06FAE1,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284749Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:23.219{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C7781F16D8F53C687B13A22C1E36FA9,SHA256=0D449E55C07014ADDD3C20329E93FF1BAED512D011018483B7069101404112F6,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213786Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:23.148{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=617AF2FB2CB9501FC72BAF562B79CBC3,SHA256=FCA6ACB27343096DB6F7D2042F9B56EFC4EE7E4B6BF491F857E0F77E0E3C1F50,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213787Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:24.305{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BF572AF45565DFBA546184A41D4E86A,SHA256=4CAB7AF6FE56E101A60251811A957E1E50B067116CDDFAC1CA24C38B05D1FBFC,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000284751Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:22.713{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53197-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000284750Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:24.235{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65550F40FB9A03D58BA6500B8B6478A0,SHA256=B587FA26D9C217429E8F0D0EA457F1339A8164AAA37579999E31032E98EF4E30,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213788Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:25.305{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE5E02B54A3841FEB30F9A508953452E,SHA256=FBDFDC6035FDA9EC6042C45B1246289067076E7941CD1A69B7631200577EA9FB,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284752Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:25.250{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50108D0E27129EA7D13E81F951853105,SHA256=CF40D3459ED64172C2912FB873108268F4EFFCB5ABDFB7C1E78496DE0499B646,IMPHASH=00000000000000000000000000000000falsetrue
13241300x8000000000000000284763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:34:26.625{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006)
13241300x8000000000000000284762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:34:26.625{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006fc0b4)
13241300x8000000000000000284761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:34:26.625{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d82898-0x8c61bf09)
13241300x8000000000000000284760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:34:26.625{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d828a0-0xee262709)
13241300x8000000000000000284759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:34:26.625{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d828a9-0x4fea8f09)
13241300x8000000000000000284758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:34:26.625{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006)
13241300x8000000000000000284757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:34:26.625{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006fc0b4)
13241300x8000000000000000284756Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:34:26.625{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d82898-0x8c61bf09)
13241300x8000000000000000284755Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:34:26.625{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d828a0-0xee262709)
13241300x8000000000000000284754Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:34:26.625{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d828a9-0x4fea8f09)
23542300x8000000000000000284753Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:26.313{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=803F6357D67BEFCAAABD27F7BDD10E4A,SHA256=A11F5C229118789C5CA32A62494B263367504DEE845664130DEDF257172BBAB7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213790Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:26.445{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDC002A07810ACCB7A3ACB4BEFE527F1,SHA256=2849666E2C064E1AA2E8C33F90015EEA6A90C568CDE141B0FC8977E854C2C48C,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000213789Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:23.601{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51146-false10.0.1.12-8000-
23542300x8000000000000000284764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:27.344{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADEB9F54CC4DF539F180A2C91BEB0ACE,SHA256=B895616F0AD425BCD87E8B694A625C5100516F350A65B7B93EE2CAA598E6595E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213791Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:27.539{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7F0A902D6AE0E4F04CB471109A48229,SHA256=999405761F2D94281FA9F084F3ADF0CFAFF005A6672F2FF08587DC6E294B6EFA,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213792Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:28.617{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4EE354C68EF61C3941EC4F656A8E887,SHA256=5723DAE72D85E27C0AEAAE4E1D102A860EE6B076818E6719C40250F2DA214AC0,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:28.375{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4224A3D62FD9682EF181FB9750C518BF,SHA256=27BD203C25EACEB74042297C96B3E449302D73678FA15AC4E4C42B9859639B5C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213793Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:29.851{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=366D96282691FB55CC71FBBE93CCC055,SHA256=1D1D8A80255A334DAF86F3D1297F14F3AF1647A831DD85A8E99D1C9A7980DFC1,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:29.391{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C9F293D2EEBFD6D240C06D2AF90BD45,SHA256=265FEF3B6CCE30C31109DFF2BDE8E43E574AC66A724B233E57B9752C76127DB4,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:30.407{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3580A54B43562C9F00076D667ACF0D86,SHA256=6C9A7FD1A83A540105C494D6110E237CC765A3A8F0B14424B32CBD378A0F9E61,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213794Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:30.226{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1B97DEBAC50C64816EC8CCE33F01F0E9,SHA256=64F11EC89E0B4014545488D52421E47D566DC5B70BECEBCC711CFA4A66BD9C26,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:31.422{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89439459EC8B99AB0864AC8223E45D1E,SHA256=596CD267742E1ECBB88E7951C756D1BAEB8186D670E645E25EA744669046FD36,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000213796Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:28.649{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51147-false10.0.1.12-8000-
23542300x8000000000000000213795Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:31.070{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56912E1419C92DBD8E46946A504A0BA2,SHA256=DC0F962F7A8370C1EE628BDA5A5F24B34DFAC563CFCB68F73545E573E918DED1,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000284768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:28.650{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53198-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000284770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:32.438{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57D2F91D3B632D088F6507562CDF23FB,SHA256=086F1C374B841F900993891E437E45E5879B45AD52687D8981D7ABC6823EC0FC,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000213800Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:32.680{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1300-000000003902}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213799Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:32.680{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1300-000000003902}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213798Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:32.680{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1300-000000003902}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000213797Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:32.164{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B61D60D78E2DBB13D10393D337129F8,SHA256=4E98B798B60B723F306B5C9083B8812CB52110240621A82D42A142C2C85AB6B2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:33.453{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9E217CF9D1F2778CC7B5CC62BB8D242,SHA256=D2DE7EE8B80193AFF8B2A65978DBB5E0D5D5C93CD885AE56C1564F48E93C8B7C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213802Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:33.886{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-118MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213801Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:33.195{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EA4F6A2E812A64DF41D09410F4092EA,SHA256=04364FA32F8F3AB5F8D4806C43E90220750D736A22062E893219B6E5E6F67B43,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:33.235{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E0803E8C6D3735EBDDE96162444763DE,SHA256=134A867B65C75440F836FDBB6E102B36B7E421DC0A3155FB4DAB9C8567D97D79,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:34.532{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48AAF63CFF87500D0784B4DBC3C6F76B,SHA256=D5AD83EDD765E698C230089B7F5B959F1B53A810D42AF080DE603989126AC891,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213804Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:34.885{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-119MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213803Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:34.197{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CF53E71AC2A9696AD68E5DA1AD63C99,SHA256=E9A0C017F6ACABB8C90B702EF11455AD1F029F2EA5B467974CA929ACEB87F1F5,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:35.547{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC43127BEB6FD1C10D0B479BA6F3315A,SHA256=09D5FCD4FF28B1A6CC15EFDC03D9DEA90E9E1C515B080B4E6CC7E0549678893D,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000213806Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:33.666{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51148-false10.0.1.12-8000-
23542300x8000000000000000213805Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:35.227{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B33CEC8D6CB6C1B739A01894BBEDF64,SHA256=246D7FE53E11F1C592B0808CE6F3C88A33B6011E214BF738ACB5BCDD9FE5F5BB,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:36.563{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE111C508A6BC5EFEF44F1E51BDC1657,SHA256=1FA912166F5B6514D942E5498A33E348C04D6A70292579FE1E5EFF3415A235A0,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213807Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:36.229{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=587A3A3B68DBB046B5FBEC6A756DDA87,SHA256=480ECF9985C53BB57E794164B9CB8AF8D89EF525699CB89D51066A21BA2C4B0C,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000284775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:33.697{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53199-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000284777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:37.750{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=797268CE048E3D1D0F8EB2AFB4ABC6C0,SHA256=641EC8BF47FBAD40D1FCDCAB526D421F8BC1AAFE5A9BF8D92829BCFD4D3B62A0,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213808Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:37.464{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21BC15096342D9594B8EAC747469E562,SHA256=F338EC3A9C405D70273BA60AD3F1EA7D4293C2C65D4AC573B9DC323A4F6098FA,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:38.797{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29FD5B202C97A80F1C34F0FF3DA9696F,SHA256=A9CF5CEC689F46076ABAD7E1790FBED2908C8DDB50F9BF9A4497DC36F7D6EBA6,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213809Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:38.573{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4113CBBC9781F7FDC8EF1722F2BD368,SHA256=CF1557328EF5BC5FDF48B601693478724D96ABCA7B4FB3B82B7596400A2DD9A6,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:39.891{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79D4F3C03F780218CC186535E07736BC,SHA256=1CC8899FC314425446D91277FF4D33157C007CF0EBD2D1B2BD50CC7459000421,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213811Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:39.745{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADBCEE19E2C87DB7AC4D69E932CD39AD,SHA256=14030F1D6D6553A51B2CA4A36567932880883920CB94B30E73B45758149AA96C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:39.391{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000213810Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:36.308{4F8D34B0-F11C-6215-1100-000000003902}980C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:ad4f:96:d14b:8b64win-host-tcontreras-attack-range-985.eu-central-1.compute.internal546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server
23542300x8000000000000000213812Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:40.792{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF27597E39E25933402E448F248C374F,SHA256=990A820CA9EF287255A653ECBFB3EF0E4A0794D4EA167EE5BD51E800731323F5,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:40.891{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC9D04F6D5E835A7BDAE63D4DAF1BEAB,SHA256=3B4CD80186777134F85C1880B0738BE4568D1F3C9BBFA6AADC6E4FABA1BCC63E,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000284781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:38.697{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53200-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000284785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:41.985{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5B8B9A08F706F175B1A31446D52E987,SHA256=55350443B95B160E30F3A1FBE145CDB5D5EDCD1F3D700D32C8865B9EC5DBCE12,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213814Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:41.839{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DF0D5F45315BFF8E60FC89103179447,SHA256=9007ECF105BC55F49E143FBBBC6E8ACA02D0BBC36C3EC9519B19EA1E9A94BE78,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000213813Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:39.448{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51149-false10.0.1.12-8000-
354300x8000000000000000284784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:38.854{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53201-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089-
10341000x8000000000000000284783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:41.422{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000213815Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:42.854{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7F85DB444C7A90AD01BB5C2ED680BAE,SHA256=9D58E7FA1D97DCAC3CE9ED34E5FEA1B98C050767DF417126542C36869E04FB72,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213816Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:43.932{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBDFC821F35F5B8238ECF470CF361560,SHA256=6DB7839717B2F59C577C9A01CB5EDDE30916D5A149E2B67FAF2B6A5F4EC06B5A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:43.000{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3F0373E7537EDA797D09F59DBC02775,SHA256=782C42767B85FBB375FD56938D61A72609898A148A8E7C7A72048ECC7ED44582,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:44.016{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01516A5425A25F2B222C3B7D0FC749C9,SHA256=D90083D9A32AC72D162AA38C07F56B23E0B84A29465C6A676F290E60466D029A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:45.032{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3F00616092076C75C30AC23D66CCFD8,SHA256=3A70D5B1394B7328D7B244B983E6018BA9CFA4E7BC1624C84C0F79630858B84D,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000213844Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.823{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0DC5-6216-E803-000000003902}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213843Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.823{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213842Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.823{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213841Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.823{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213840Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.823{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213839Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.823{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213838Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.823{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213837Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.823{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213836Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.823{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213835Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.823{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213834Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.823{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-0DC5-6216-E803-000000003902}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000213833Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.823{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0DC5-6216-E803-000000003902}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000213832Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.824{4F8D34B0-0DC5-6216-E803-000000003902}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000213831Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.636{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000213830Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.151{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0DC5-6216-E703-000000003902}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213829Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.151{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213828Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.151{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213827Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.151{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213826Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.151{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213825Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.151{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213824Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.151{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213823Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.151{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213822Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.151{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213821Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.151{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213820Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.151{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0DC5-6216-E703-000000003902}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000213819Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.151{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0DC5-6216-E703-000000003902}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000213818Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.152{4F8D34B0-0DC5-6216-E703-000000003902}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000213817Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.089{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA4AA3B87D98E229ADC3D196C6A4A748,SHA256=2B0FCD20EBE522BFA04D8955BD2F746B7A42B7307B2F105F0987600F0DFC0BB3,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000284790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:44.666{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53202-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000284789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:46.188{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A132FB2FDCE729D0EBFBEC082264246,SHA256=9B34915A9B29D07292938AF68F12F1FB6DA07CF662D74B31342E4ADFFAE4D68C,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000213849Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:44.669{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51150-false10.0.1.12-8000-
23542300x8000000000000000213848Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:46.370{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6AC9BC0F913C746A1C7BB864E298E5F,SHA256=19AE90706F4D3C3E7D1D1CC5907BF1B6C24FEA34915C9332DE74D26B33E8FA5B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213847Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:46.167{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2A0D3C5216790087E85372BD9CE3985,SHA256=B82B3DDD865909EC19B3ABC6091AE684565B660A694EFDCB77C2F8479D27B4AC,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213846Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:46.167{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC34105F612AD7B457DD3F4DC095E613,SHA256=52D995D27420954E795C35D7EACD0B6DD3CD78D8DBC8A10EED5744C1F9DD3D64,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000213845Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:46.011{4F8D34B0-0DC5-6216-E803-000000003902}1008776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
354300x8000000000000000213865Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.057{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51151-false10.0.1.12-8089-
10341000x8000000000000000213864Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:47.651{4F8D34B0-0DC7-6216-E903-000000003902}26562684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213863Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:47.432{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0DC7-6216-E903-000000003902}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213862Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:47.432{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213861Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:47.432{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213860Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:47.432{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213859Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:47.432{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213858Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:47.432{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213857Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:47.432{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213856Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:47.432{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213855Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:47.432{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213854Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:47.432{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213853Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:47.432{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-0DC7-6216-E903-000000003902}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000213852Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:47.432{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0DC7-6216-E903-000000003902}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000213851Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:47.433{4F8D34B0-0DC7-6216-E903-000000003902}2656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000213850Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:47.370{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DC6FC88E52965574AB7BDC4E23F5869,SHA256=B7B156C38D84C949D098340576A622EA8DDEFE6B16A0707360018CC5409D76E0,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:47.235{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F2EF23BAFD6E44C3083BD321EBBFBB4,SHA256=F68B712DF66B42324F0890782FB555CA573C6652B178F81FDF36BBCCE1BF589E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213880Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:48.682{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68F87279CD68AAED6A8BE5CE6BBFB7D4,SHA256=8DCF89B086325311470A6DEBAC5591329C7E18C4858F996681A11AA175E28A66,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213879Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:48.682{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2A0D3C5216790087E85372BD9CE3985,SHA256=B82B3DDD865909EC19B3ABC6091AE684565B660A694EFDCB77C2F8479D27B4AC,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:48.344{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FD8AA87FCCCC5F9E31F8FD4A8C09AB0,SHA256=40C4912E3076C8B4A3666EF5CE652B25DED39D10C49CF0746A860F963ACB290C,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000213878Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:48.105{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0DC8-6216-EA03-000000003902}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213877Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:48.105{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213876Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:48.105{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213875Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:48.105{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213874Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:48.105{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213873Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:48.105{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213872Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:48.105{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213871Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:48.105{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213870Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:48.105{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213869Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:48.105{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213868Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:48.105{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-0DC8-6216-EA03-000000003902}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000213867Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:48.105{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0DC8-6216-EA03-000000003902}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000213866Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:48.106{4F8D34B0-0DC8-6216-EA03-000000003902}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x8000000000000000213908Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.823{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0DC9-6216-EC03-000000003902}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213907Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.823{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213906Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.823{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213905Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.823{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213904Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.823{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213903Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.823{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213902Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.823{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213901Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.823{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213900Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.823{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213899Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.823{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213898Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.823{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0DC9-6216-EC03-000000003902}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000213897Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.823{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0DC9-6216-EC03-000000003902}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000213896Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.824{4F8D34B0-0DC9-6216-EC03-000000003902}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000213895Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.698{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E83E17485BBAF0B46A54061AEC531D09,SHA256=9A5198F1C937811678656F1EC821B371A871BE980B796D38439426F6BD8A7CBC,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:49.360{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE345057E30B8EB451A980A5DD6FC71A,SHA256=24A45CF2AB6D070BA511CB26118F1C039841A93E18AD7E72CB1AB5D7E04A70AE,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000213894Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.604{4F8D34B0-0DC9-6216-EB03-000000003902}9962560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213893Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.323{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0DC9-6216-EB03-000000003902}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213892Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.323{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213891Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.323{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213890Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.323{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213889Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.323{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213888Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.323{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213887Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.323{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213886Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.323{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213885Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.323{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213884Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.323{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213883Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.323{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-0DC9-6216-EB03-000000003902}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000213882Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.323{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0DC9-6216-EB03-000000003902}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000213881Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.324{4F8D34B0-0DC9-6216-EB03-000000003902}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000213911Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:50.714{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2F3D11D4C7231FA2E828C15DFF4AE67,SHA256=82F6A75BE927645EEA596D46116887A3F137E7E950FBEC2C5E4C42D5AE4240F5,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:50.375{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C197922760039AA742AB4AD6BCCC9C4,SHA256=7407CB5ABC6367B95AECC0CCB70D85D0B4089B573D2905ED1AC3CD09068DA3EA,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213910Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:50.339{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FCF0EABD736774AAA204EAB8243D0EA,SHA256=C5BCB452C1ACD8DE96BD67D3283E3B4725DEE07FCA1F6BDCA30452C2233B6535,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000213909Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:49.995{4F8D34B0-0DC9-6216-EC03-000000003902}3392836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000213925Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:51.823{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC2578E0A781BB053081C1907F66DEE5,SHA256=9AC19AE9F8FBE093370A0188BDB80E1254979AB38CA7FDBC88A486BC8FBA5784,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:51.391{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F43CC63F559F697882423BDA4C5606D9,SHA256=CCDA7E80B4BC54B2C57022844A94D52DDB9CCE2A134DA8BF5A0B7451A37D6146,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000213924Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:51.651{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0DCB-6216-ED03-000000003902}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213923Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:51.651{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213922Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:51.651{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213921Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:51.651{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213920Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:51.651{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213919Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:51.651{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213918Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:51.651{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213917Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:51.651{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213916Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:51.651{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213915Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:51.651{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213914Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:51.651{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0DCB-6216-ED03-000000003902}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000213913Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:51.651{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0DCB-6216-ED03-000000003902}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000213912Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:51.652{4F8D34B0-0DCB-6216-ED03-000000003902}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000213927Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:52.839{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=409FC8D43EAA6DAF98916E35502BB71E,SHA256=45E56EBA9D9A51AC83367B1F168036FB457ACFA472F338A4DCEE34A7AA17E468,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:52.519{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-118MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:52.392{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30C962683A8622D1E43380EF1FE7A80D,SHA256=A406093EEB5878342E217EA84DB905FBE20802E978F5284B54D68A3250E8F6BD,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213926Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:52.667{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C6BEC7D8D151D10B13690689D76F8F7,SHA256=8FDE7CFEEA6F2D821D7BA4941AC5A73032BDBAF4DE60D93D972237076F611D3B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213929Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:53.870{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEE9C04D86BFBBF51937E136AC61CE82,SHA256=48E6A65F65A914BDF523E05F63E862C10840CBF860BD9F8989D5ED26024CA59B,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000284803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:50.619{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53203-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000284802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:53.534{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-119MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284801Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:53.407{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB1B8EB77837AA7E799E399B357B3F81,SHA256=7716609B65314D550E91506A9FF74FC717E57EE7A6BF67081CFCDA028CD204AD,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000213928Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:50.495{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51152-false10.0.1.12-8000-
10341000x8000000000000000284800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:53.251{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:53.251{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:53.251{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000213930Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:54.979{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ED99A04D83A896DC75A395A311726F0,SHA256=C552582B47A626730646A1D1E4D2D4918A0577C98AC9C3E3CA2AF7820349451E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:54.410{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5A35FBE49E2659B60753936C66AF677,SHA256=3C13C65077A841CCB9FC73D93C580480FA49922D5BED466F1D2F965B933E75A7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213931Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:55.979{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=853E05D3CF8B1D1B38296DC60C4C5FA2,SHA256=067824A74ABA14A4F124D4385C96DC3FE88A81F0D6F44D2A0001F13CD5B92967,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:55.535{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=011F53ECF98DD7A46BF74E2F44A35A77,SHA256=B3CEF4A49B625BFABA4968AFE61E70F7B78F0B6FEC86CFA978CAEA4F91EF1CCD,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213932Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:56.995{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B98BE80B7A57AC471982A87C602E5972,SHA256=76B236619F36C0D9280E5306C556C1AF3D2F1DA9A2E66127CC08D77A03CD7758,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:56.598{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66476C21E4B5B19A9FE78882C92036DF,SHA256=DC015C9F88E929C160C1842559F3441B5D7981A33F9C2F01B2E270E9CF43647B,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000284808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:55.669{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53204-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000284807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:57.613{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82D23D750EFB0859C184BAE082BD01CB,SHA256=3F69BAEED0BCDFC225B625B146FA3C688F688EA0FA47C01D213DF323196A180E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:58.629{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16C28C69FC6C230EEFB07FA6A747D939,SHA256=49D58D3AF6B4A9109F696468C7AA0C094E864DA25F43674B6CAF0E059AFA8856,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000213934Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:55.511{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51153-false10.0.1.12-8000-
23542300x8000000000000000213933Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:58.042{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1271B9E5AB1CC656FE10BE7422CB5AFF,SHA256=AB14091BCB1DCB2F286FB3B3696074135B08BE1A1B117BBA6CD25B7F5A365B38,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:59.645{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=667B1F99B05C5406581D72036C7DD5F2,SHA256=6ADBD85570C3CFA502545AD4BFD953289B3FF94CD107C3FF7C0D1D650E2E4FDB,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213935Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:59.120{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6E79BB65802AD578B462FF1690F7B08,SHA256=55729B4F550BA7F7DD3FCE6C11A11BF2ECF74EC9E3982E55F93AEF6EA59F63C2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:00.660{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFB61E247C57C6F99AFCEC8CB8B6CE79,SHA256=1E9DF52A582659AFE37957D757A969AE2D98E69AAB732D7E1FE93F03A4766142,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213936Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:00.151{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF9FD88F72EF24C67202B06B41328C4B,SHA256=F615F3C67A5F796052F31C0D667DA8B6FE2BB4DBC20FD847B97E488DC619FB83,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213937Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:01.338{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26FE47E29F94D3387F61F44A191C7A2F,SHA256=E12D9AFC3BFBAF67279C004E09983FDACC7AB786131EB6D7E3147FE9D7865D45,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:01.692{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC13003C2D834F032FA73FFAD176BEE2,SHA256=E1D1F830623AE3D144B4CFA029036AAD65C1D44528494C82BA1B4BA12D7010B9,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000284830Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:02.770{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0DD6-6216-9804-000000003802}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284829Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:02.770{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284828Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:02.770{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284827Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:02.770{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284826Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:02.770{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284825Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:02.770{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0DD6-6216-9804-000000003802}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000284824Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:02.770{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0DD6-6216-9804-000000003802}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000284823Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:02.771{C8EA50B7-0DD6-6216-9804-000000003802}5344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000284822Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:02.707{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC2AB16EF4A6918E189CB3C845FEAD06,SHA256=CF7599CA2094849802A1E25B5D8C60B76C531CD453159FBC0A6DE1EAAB5517C6,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213938Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:02.370{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F485C8B37EFF94A8449B971B63E12C3A,SHA256=09597249AB7EBADEBC81EBC5223B6D664784C0F82A575B077144C937F6DCE402,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000284821Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:02.301{C8EA50B7-0DD6-6216-9704-000000003802}60243624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284820Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:02.129{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0DD6-6216-9704-000000003802}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284819Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:02.129{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284818Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:02.129{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284817Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:02.129{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284816Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:02.129{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284815Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:02.129{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-0DD6-6216-9704-000000003802}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000284814Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:02.129{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0DD6-6216-9704-000000003802}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000284813Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:02.130{C8EA50B7-0DD6-6216-9704-000000003802}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
354300x8000000000000000284834Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:01.545{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53205-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000284833Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:03.707{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26F46D4E910016374F480F3DD7C2AB2F,SHA256=3AD8BCB63FD4FE8B907027776921E89125774FC4DA1EBE24D7C2D4081AB284EA,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000213940Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:01.479{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51154-false10.0.1.12-8000-
23542300x8000000000000000213939Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:03.385{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EB1AAFB8CDBE8F2A56366A0D0A7FCA9,SHA256=40B8062B119542751333C16DB35B519EC88CE81A2AA30C31FBDB287DFC91D3DF,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284832Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:03.145{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F87CBAF3BE1A348DE1BBE5DCBB7F1A23,SHA256=539670B5EFD775EFBAC00FE5A8618C4DB3B1C2C28129B22C657A002C55C19137,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284831Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:03.145{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A01A148D27AE4DE31654335EF918DE9,SHA256=E68564EEB3FFDD54F9F303F24A1BD44950F7D253A03BD447D982A635962378D4,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000284846Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:03.060{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53206-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap
354300x8000000000000000284845Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:03.060{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53206-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap
23542300x8000000000000000284844Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:04.738{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9ECDA962E395BE48C2AAE72CE986733,SHA256=B12393D1E31ECBE81BA20E8C538A71895CD2AEAAF4970A00D4BA9A57C8F58572,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213941Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:04.432{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51C342C89990D7312F0EDDC293025643,SHA256=57658F519B524D004780F7C0B482616E19D51A0D33CFD8624D48CE7A8BA43ECE,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284843Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:04.582{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F87CBAF3BE1A348DE1BBE5DCBB7F1A23,SHA256=539670B5EFD775EFBAC00FE5A8618C4DB3B1C2C28129B22C657A002C55C19137,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000284842Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:04.254{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0DD8-6216-9904-000000003802}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284841Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:04.254{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284840Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:04.254{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284839Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:04.254{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284838Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:04.254{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284837Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:04.254{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-0DD8-6216-9904-000000003802}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000284836Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:04.254{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0DD8-6216-9904-000000003802}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000284835Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:04.255{C8EA50B7-0DD8-6216-9904-000000003802}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000284847Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:05.770{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1C972AED859664193333ABFBE091561,SHA256=906EE457CA7B15F5C389EDA6EC1C01058AE0E5E9BF7C7F5A34E48D465F0EEA82,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213942Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:05.479{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C4A131DFAC03772D86776571E8973C0,SHA256=C6B15DE237AA829C5F07FFA6C61F0100D5DD45B45912F3E5DAA80F547A2C054C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284848Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:06.817{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CE19D8ECC206E4DE89298FF25A81DCA,SHA256=6E8A4DB9827F43CE52FBF3B8EE123FE758622E1E639E6CEEC1D3C3D9C449BB97,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213943Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:06.620{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA1E29B495E6ABA951671AB8E7514540,SHA256=785BC5C499D4A8AB5A787AEC4324FEABBE8FD2484D0E93D4956B8B5F362B1B48,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213944Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:07.838{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE4593F28239D59FB111743C508A2471,SHA256=4F92163D2DCE19826A1870FA334BBA0738198AE4039B6B57FF55B6FAB3CC130D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284849Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:07.832{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0DD557D0F9A2EC67EFBC150C3CEC46A,SHA256=5EC3AF28FEC53BDD2DDAD084B9607362567852612A6EF72843BF3494CDE10EFA,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213945Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:08.885{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=630D85EDEE2D1404255AB415D897A448,SHA256=66DB267A77C450C39A0C49149A570D338C1BA70B022719E84350BA186B776AD3,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284850Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:08.832{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E61F79F8049BAB59C286ACAD4C5963C5,SHA256=F1CF5D4F03E975447B833585B0434E916672DBB0EE2929A8E2D18FD5F88F23C8,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284852Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:09.863{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E11A68959B4BA2C87CCDFC3F6B1E35C,SHA256=7A494CA1D40A62ACA1AE09F0855F4DDD6FA4B45930897AB2FD2FF3BA7AD190C2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213947Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:09.885{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=951DE60C37D9B1FED8F13D5B10304F03,SHA256=D3FF3C525CBF95AD3BF7C01C9349131D339E83113623A53B28E73AD022F4847B,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000213946Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:06.541{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51155-false10.0.1.12-8000-
354300x8000000000000000284851Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:06.622{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53207-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000213948Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:10.901{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=107D481838D857A927378310EDD8463F,SHA256=7498CC07240FD07A142EC4476AA6F91D82E4BCE0E05BDF0173CA43628A9A86D0,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213949Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:11.916{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95261E6B976DBB5A7DC93A7A7D197C5E,SHA256=625D7D1EC4607C159F73F89FFA7CB3FBECA69CA4255A24963B614040EABBC6A3,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284855Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:11.535{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F96F303C4B935F60FD4D8274D0E813C,SHA256=52A12F120A1E3A2A77794E36B8FA468E263FE9F81F39A2C8E71C168C38D9B9F2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284854Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:11.535{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E634D6BA0AF8466D0689FECC6662D46,SHA256=2656696DA569555FF17A24F95B4E1EEFD3F5BC98614B7FD8B44BC164091F4BC3,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284853Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:11.020{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9F276D5A1D27C50D73432B8B094578C,SHA256=59F9A7DDF6588041C2755B786EE4952FAF9E9FE74AC72518CB7AF517872B81AD,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213950Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:12.916{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37C6547E9EF3D7A1035CF6C6368FBEA4,SHA256=0C4B7320B644876879BA9243D404E982AAC2D4E814F43526DF276FC8BCD45C4A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284856Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:12.020{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD635E0501B89F56C0831D22C895E590,SHA256=78BAFCD01A3405258B99D54426BB7F801AFDCEB4B53BBB60982752E20CFD97BB,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213951Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:13.932{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=312AAE2FB32062C7C17AE31921690826,SHA256=536B0149B98C107C619F8F6AFAE1EA76CD6E4773F6656CCF275AFEB40EE0CD10,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284857Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:13.035{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E9DA02C22A5A6DEA2AA93D2ED42B30A,SHA256=CEAD1E0FD5CF6068663E4E6B35FE651EDD1A134E0FB761D0647DF09153487ACF,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213952Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:14.932{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0857BDE2BB8CF72173FA67FF1BBC103D,SHA256=DB180589E29699648618A0392AC8CA47DC29ED7CC0527B58612E90604F18A268,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000284861Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:12.486{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53domainfalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local61588-
354300x8000000000000000284860Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:12.485{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local61658-
354300x8000000000000000284859Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:11.654{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53208-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000284858Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:14.067{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABD280989A88651D16684D6E75284089,SHA256=A994790E445CB201730393E60F84B5C749855FB9839FB91E9435F1ACE1BF7665,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213954Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:15.948{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F175E4DF5C188CA3779FBCB5B7A5D46D,SHA256=731445CE74B65E046AC6788E13049F5E92D1E287FF75313D46FA2E3A0DFA0442,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284862Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:15.238{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2D925C4E478FD496EF1F76F59268ACD,SHA256=8E334E3C7617E7E82495E5F1409D716BFA64D78B6F954A4B95B29728D67D57A7,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000213953Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:12.516{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51156-false10.0.1.12-8000-
23542300x8000000000000000213955Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:16.963{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E28B07207CFD268AA5D8AABE524DBC5D,SHA256=16F819984775F443BA395F086E190BB546F774935963DA79B38432482C7C4716,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284863Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:16.254{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=158C6A4E5930B1B4294D159EBC04446A,SHA256=F015D5BFD7E53CEFD9BC0FA74103A00AE4DBFCEE0861CB95058D387E5A891BED,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213956Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:17.979{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE8303BC5DFC6C4AAB47D3331C34D8D6,SHA256=4E4B71A29AC0F40B1187FBF8E04A9B908F0605DA89EBD91E6F357A62E17B16D3,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284864Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:17.285{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A28521DC14F01FD12D9531D1C17BD2D,SHA256=BF14227AC82AD6D97C9317008665D52D7F1DC3B9588F787C1B6E0F818C20FA8F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213957Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:18.979{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A902A5AEF30FC22054341FE8EF69ED7D,SHA256=05F91C445876D1C50E7A158EDE3AD4A203554EC6876CD8347CA974B2E6E12FB7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284865Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:18.301{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0210D855E7FABCDA4F2C987F209318A3,SHA256=7012BCDEA3C3EB634A7D3B5A894DD6BA8D9D47345DE176DA64A8E38BBC01A9E4,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000284875Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:19.926{C8EA50B7-0DE7-6216-9A04-000000003802}1721388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284874Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:19.676{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0DE7-6216-9A04-000000003802}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284873Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:19.676{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284872Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:19.676{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284871Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:19.676{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284870Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:19.676{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284869Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:19.676{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-0DE7-6216-9A04-000000003802}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000284868Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:19.676{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0DE7-6216-9A04-000000003802}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000284867Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:19.677{C8EA50B7-0DE7-6216-9A04-000000003802}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000284866Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:19.317{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21EBD816D4116CA2D33AD25945F4AF09,SHA256=108173C51DD3FB27C1F082A0513689785A6BD9098F76016A197AA55C96578F67,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000284896Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:20.817{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0DE8-6216-9C04-000000003802}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284895Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:20.817{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-0DE8-6216-9C04-000000003802}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000284894Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:20.817{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284893Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:20.817{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284892Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:20.817{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284891Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:20.817{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284890Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:20.817{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0DE8-6216-9C04-000000003802}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000284889Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:20.819{C8EA50B7-0DE8-6216-9C04-000000003802}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000284888Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:20.676{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1D7AD43EA12A57836BA0EA7C76A6C09,SHA256=1A3CC069F2D173F22B4BF96C30BF1B3EE354B9C2C2FF548A6DE438769C8EFE5D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284887Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:20.676{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F96F303C4B935F60FD4D8274D0E813C,SHA256=52A12F120A1E3A2A77794E36B8FA468E263FE9F81F39A2C8E71C168C38D9B9F2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284886Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:20.535{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97F75565A1A3F1D1C96BB0DA85E972F3,SHA256=6255977DA77B767832F14E1E2436A506882189AEBEDC35BC3AEB5B6BB84495A8,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000213959Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:17.651{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51157-false10.0.1.12-8000-
23542300x8000000000000000213958Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:20.057{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D512D3BCAE8A048883C2E4D561CF615,SHA256=089FF7A2083B37567A28DFD5C19A5CDA290D24A7CFE24693F7A117D9040AE996,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000284885Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:20.442{C8EA50B7-0DE8-6216-9B04-000000003802}56924268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
354300x8000000000000000284884Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:17.591{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53209-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
10341000x8000000000000000284883Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:20.192{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0DE8-6216-9B04-000000003802}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284882Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:20.192{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284881Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:20.192{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284880Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:20.192{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284879Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:20.192{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284878Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:20.192{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-0DE8-6216-9B04-000000003802}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000284877Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:20.192{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0DE8-6216-9B04-000000003802}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000284876Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:20.193{C8EA50B7-0DE8-6216-9B04-000000003802}5692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000284907Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:21.910{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1D7AD43EA12A57836BA0EA7C76A6C09,SHA256=1A3CC069F2D173F22B4BF96C30BF1B3EE354B9C2C2FF548A6DE438769C8EFE5D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284906Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:21.567{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9D2AFF2017221B2B7B6527B17E7DA94,SHA256=171D629A8E4AA23BD04BFDBAF305AC74F0B7B6B91E412DDCDC0461F1CE9B474A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213960Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:21.073{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ABA025C42799D8237B2F8E912694321,SHA256=BF206C7256986C1EA5FE26121DB8D51C80277C684B3D0E2739C72C11B7AC8153,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000284905Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:21.332{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0DE9-6216-9D04-000000003802}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284904Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:21.332{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284903Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:21.332{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284902Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:21.332{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284901Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:21.332{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284900Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:21.332{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-0DE9-6216-9D04-000000003802}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000284899Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:21.332{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0DE9-6216-9D04-000000003802}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000284898Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:21.333{C8EA50B7-0DE9-6216-9D04-000000003802}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x8000000000000000284897Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:21.129{C8EA50B7-0DE8-6216-9C04-000000003802}49002268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000284908Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:22.567{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15725C37165707B867BB3FC0A1938281,SHA256=5750AFCE3C555500C91B4B85B472937F7883FDE07155879659352250E9AF707A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213961Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:22.088{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E406707A5B55872C5EAB0FEB36E1462,SHA256=5F65CC38D1D4B4ABC32823CF7076556B0764F342C73674B38882105DB695149C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284909Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:23.598{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AED184D4ABACC4C2A9CD06DE5F967C8,SHA256=D6F912C74B208C88931DBD3D5556737ED4DFD708FB1539CAB50DDFC34B8AFCF0,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213962Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:23.104{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D602CCCB3A3F1D93BB7F8EA5F9067D8E,SHA256=47F9F9706424731FBE4E2BF13F22EC07E6DCC8653CE9E27ACB478F892BAB9E40,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284910Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:24.629{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1FF1FBA54C9712839C379BE6C6FA5AC,SHA256=1AA1760063027AA97E9EF3682E8E5F79BE7D542EBD65C5DBE910A137BE624775,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213963Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:24.135{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B738F566BB88F7B410EB4FB87ED0FD9,SHA256=D23DC5C16CBE8E8073B36468A4EE48F519ACEF349DC7797931FB2E6AB0850BFC,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284912Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:25.645{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=627504D39284EC5B34EAF29732CF2BE7,SHA256=6BC7DE6261E84C07338D86AB3B93DD65E447F1735962D9C8E0CA87C5D630BD65,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213965Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:25.151{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57D08297B79F19CC3A3F2C0760E3081E,SHA256=E3E23143E97946A95DA2B4BB5193D43D85746EA7A7A4ADF83CD6B8EA44FEB1EE,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000284911Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:23.576{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53210-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
354300x8000000000000000213964Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:22.667{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51158-false10.0.1.12-8000-
23542300x8000000000000000284913Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:26.676{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD59EC1D3634BE43677FA4AC2E333AC4,SHA256=9F42B8F2D0EBD86CC0F7EEEBA7D66630197D0C20C664E0FD8C351AED3069CF16,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213966Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:26.166{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=800F37F782FF85E394B5D091B6544447,SHA256=398AF51ECB7261AE0BD2D9B3B4A9D919EFDAC9EAFFA2803F5323469C03100834,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284914Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:27.692{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=263C54DC51645637FB0DC2FFB519900B,SHA256=8448689C35D8313798AAB93314CB87BBF71FC1FC040422E177AFA7D116A95674,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213967Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:27.277{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E8D659C369F5C195BD0ED28B06D3A80,SHA256=F72C9D0B981F3F3C2E1A1E0AA68C209358FCD261470A655EE2D778A7DEB41178,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284915Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:28.817{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=313DF6ED60C24BD4EA21846D43CE1262,SHA256=8592340AA44D3DE13AD0D7B2F1AB35685BB474AE16B26EFCBCFC017E86A40B54,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213968Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:28.494{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3820E2F357C678DA20022B0D5D8E77EF,SHA256=433DF06B0ADDF12AAB76B0969006783F6A7E7EAA12815723CCEDABC0BBBB9A82,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284916Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:29.832{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04F77D5A04AB796F2D90160668EF4620,SHA256=887C1761C1993B5B70C4F27EA76D8E03D8AB6128E83822686800EC966AABB8CF,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213969Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:29.557{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C310A1044CB481F7BE44A300EC44631,SHA256=E77072080721FAF45C305A376135F2F2317A3465B680FF5A4518F0F7B73DF03D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284917Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:30.848{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE834FF92E9D1244FAFFF707DBD093C,SHA256=D7E796B51A84EB5D232FC0C6731C8342F7BECB4290F41A4098C70BB02FB34F28,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213971Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:30.557{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AEA04BB83863955D7C04A7DF6A8DCA4,SHA256=A1B7DEAB529D99CEBA8ED04C192F9896116EEFC08CCABC41D209B706541B4127,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213970Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:30.229{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6D4BABD62A41EBD92D22888E52FB2E91,SHA256=BFF91A2B4B0F177297517E4743CE194B8988D24D47314D122F4D2BD849CF334F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284918Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:31.863{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CDD8FDCDADF2F4048FC5CEAC82EE541,SHA256=A19D66719C85B05AF5CF1A63B2FA0F4ADA06DA8BA3A535B7C1A3AA642A90FDE2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213973Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:31.588{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5B48D9880853DFA49CAA6304A21A452,SHA256=A57F8217D17CF8A26FE524AB67C43898DB719BA5FFD93C0992DDDB40E3A57C0D,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000213972Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:28.573{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51159-false10.0.1.12-8000-
23542300x8000000000000000284920Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:32.879{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DA646526B9DC64ACA6D6B1F1F34A0E3,SHA256=FFD4F7E1BD930EB383DDAA958765A75EC6BA1EFBE50179CAA95EC7579CB2C9D9,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213974Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:32.619{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78EA255D7B2EC553C1C6DCD3434B9B23,SHA256=B5F930BCFAB3BCE5D9E34C55D2C5BEF5E7681255989D5BA083040CB85E020E51,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000284919Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:29.591{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53211-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000284922Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:33.895{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA3170AD3314DC75ACB3910454AF2BBF,SHA256=36C435DF1B542E2145289993C5A1B84743866EFE2576A6CBEFAAD39BE86DF428,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213975Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:33.666{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE7A4057D4EB29900E83BE61B266B50E,SHA256=E2F1E05C87AEEB5B982327B0B91220DB9759407C6DE0D5E640104F0981D50FC1,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284921Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:33.238{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B0956F38078B3CBAF25A7FC8ED2BB786,SHA256=83EC3215B2A59F5A621A054D9833BFD48E227B584D5DD70E47C720341E87CA7F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284923Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:34.910{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2086E3D3886848E9CC991BD06A5942F,SHA256=80C0F0A375C6F3525F1246A59AECDE509E047B539E49829EDD097602EB83641F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213976Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:34.807{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6B0C68AB1F8D04BA6E16EBA32EC7FCE,SHA256=8D40510BABC7A2DF166D16841A0F7481FFDBD2AFB44B711B9100E10BFDB94E8A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213979Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:35.841{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80F990D1308E08805A38AB29D1BECCB8,SHA256=A9CCDC9EE21D6AC624D1AAC1D15580D0D0E856C34F926BBA81A20B895057C567,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000213978Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:33.651{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51160-false10.0.1.12-8000-
23542300x8000000000000000213977Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:35.406{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-119MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213981Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:36.902{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E3B1654CC037A59931AD945AAA9B66B,SHA256=E98D0E3622C645E02E7312C3D6146B37DFC6DA4EB8CF0589AA946E13BE77F973,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284924Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:36.004{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94E165C214E7BDDCE694ECC0E962F00F,SHA256=6BB67A0BA66AE37A005FE12BE4AF58D189749B4798429269C56D7D08305E7567,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213980Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:36.405{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-120MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213982Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:37.919{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2968E6099B9A296F90F366E79C61593,SHA256=20054D99115C614299867396DBEFB342F72DFA92459C179A4F137EE7DC5C90B8,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284925Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:37.207{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BB8AC4305AC5B4BC9A73B0B3D1B3043,SHA256=4746DC7F8FEF63C16B053933253148469C82E528F52C188A96FC7911917A937D,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000284927Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:35.606{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53212-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000284926Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:38.223{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80C8D43FC64CF15A106F99EACF8C11E3,SHA256=92C2BD42C7912DA176E249E77E6421632694FC25809BFD823FE46828F7A9F316,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284929Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:39.410{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284928Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:39.238{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72EE88D4E357C911A24B42F02AEBFF13,SHA256=947BED8B6FCD17F85B17FA1D5E80D5A4046BD1789EC219243256D5B902E37F67,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213983Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:39.138{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C44D25F9D5D4A6EBC3CC8E26643798AE,SHA256=8AFCA1D9FA8CD5AE025B714D2E75AFD7E0F9FE20DA7A33D4A1577E70AC00D401,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000284931Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:38.872{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53213-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089-
23542300x8000000000000000284930Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:40.238{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF131A8B7A523A5D1AFAD91F24B31FB5,SHA256=CC9A0FD76CC1E47A27FE132997740DCE9D92062807458197848A99BF62D7B7B1,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213984Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:40.169{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD2B1A14028EEDB27FA8A403FB68B0A5,SHA256=4C921E900448828896942D94F7A015862BC963A8929F4264ED4DE03445517AFB,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284932Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:41.301{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=452666CCFD5EE801083EC395C90FD3B5,SHA256=2D17A7C854D3940DDF4915C3BF2CD24F1BE996699EFABE5B348DE61A13764143,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000213986Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:39.608{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51161-false10.0.1.12-8000-
23542300x8000000000000000213985Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:41.185{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26E37872CA7D3C8F7D59F6C84E5833D5,SHA256=C6807A317644B294F00025625B0CFE12BE1889CF4C2549AB39D5C3536EF89FCB,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213987Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:42.200{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63491FA194FB745E80A390AA2D9E9217,SHA256=01E05BA98F5680229447CE1E493E760C0F03466AAE91EE9C3CC0A9953C34C5A7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284933Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:42.301{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF34E32438F8ADF98C9E43AC6D3928E9,SHA256=F4BB5E996DBCB6862A1B1620428F058487337DDAFEC826A1E5B8A0E96A0438AE,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284934Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:43.332{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BAB60439BE93F22EEC3A18C088B2EB9,SHA256=993CC715C167ADF44ED226A66B157200E35C8D3C8613DC9B894D1CDFC91E8B0F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213988Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:43.200{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45ED2D78E68538ECAC5BA3B3843558C6,SHA256=25E59FB90DCA6F73897C1F80F366E1C33595102D4282A74A1D7ECF03626010E8,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284935Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:44.348{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FADD0E1906A368D0E54284E951E8903,SHA256=E441D2C45BFC35B97A0812B72D2CEFFD4865F4656DD954DC99C7787C61205794,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000213989Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:44.216{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B688D94D0B4A7B08CF17E5AFAEF2FC5,SHA256=BE8BE9467E9063E84F8FE02CE24F37C36518057CBA1BFFF65D1E31883B40D544,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284937Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:45.363{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D07949A60E5B79B4BEF4D50EC81C52,SHA256=D561ADD58E267152555218B573AC886FC113B4AC5E44AAC36615CD53A21E909D,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000214018Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.810{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0E01-6216-EF03-000000003902}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214017Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.810{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214016Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.810{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214015Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.810{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214014Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.810{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214013Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.810{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214012Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.810{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214011Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.810{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214010Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.810{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214009Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.810{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214008Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.810{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0E01-6216-EF03-000000003902}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000214007Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.810{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0E01-6216-EF03-000000003902}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000214006Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.810{4F8D34B0-0E01-6216-EF03-000000003902}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000214005Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.653{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214004Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.357{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BFF6D9EFF174A136273E3641FF67ED4,SHA256=DC1180621D6944615B218CD30345E456034230FD570E8140702E4137C758DFC3,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000284936Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:41.559{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53214-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
10341000x8000000000000000214003Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.325{4F8D34B0-0E01-6216-EE03-000000003902}5203928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214002Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.138{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0E01-6216-EE03-000000003902}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214001Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.138{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214000Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.138{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213999Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.138{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213998Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.138{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213997Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.138{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213996Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.138{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213995Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.138{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213994Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.138{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213993Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.138{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000213992Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.138{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0E01-6216-EE03-000000003902}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000213991Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.138{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0E01-6216-EE03-000000003902}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000213990Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.139{4F8D34B0-0E01-6216-EE03-000000003902}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
354300x8000000000000000214022Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.076{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51162-false10.0.1.12-8089-
23542300x8000000000000000214021Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:46.591{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=027C65C65C032C9AB587E0A966EFC168,SHA256=DE56783605920CC4619C76CC577E1C3A8F6616AAEE43B22254908369AFCB8953,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284938Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:46.379{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5BFF719467D4914D373CB3BAA1A634B,SHA256=BA0872F33DE69E05CC68082F873D031B81D0F72A5F9D0C8F85C1D15DA1D26CC4,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214020Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:46.372{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1135414B3A534DEEA12FA445D04A45B4,SHA256=178188C1BAA717B7F176262413AC664B2CCDE8C3A9DD5AE29E054D8AF77D2839,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214019Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:46.372{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54926D8BD2E1962E9354E09396E8F74E,SHA256=C367E94AA39961B8522A5B852316CFF983552E162C3E2ADE25FDFAA4A7EC88C1,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214037Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:45.498{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51163-false10.0.1.12-8000-
23542300x8000000000000000214036Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:47.810{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D9F923FB5D2BF63605F33E5BC2BA20E,SHA256=69D9E27F0024479297EBB06B39D1F5E5EDC8E4BA6ADF75E9B54159B2DC9917F7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284939Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:47.395{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C412D2334B5036FF0043EA3C810A007,SHA256=57B7BF9ED9DDB4C3388473AC679B15741E2428EAEF6EE2EE5F825D58029FFEE0,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000214035Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:47.435{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0E03-6216-F003-000000003902}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214034Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:47.435{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214033Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:47.435{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214032Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:47.435{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214031Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:47.435{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214030Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:47.435{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214029Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:47.435{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214028Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:47.435{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0E03-6216-F003-000000003902}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000214027Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:47.435{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214026Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:47.435{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214025Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:47.435{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214024Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:47.435{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0E03-6216-F003-000000003902}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000214023Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:47.435{4F8D34B0-0E03-6216-F003-000000003902}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000214053Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:48.825{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D8E4A6BB5AF0DCBE99D60816F9B8ECD,SHA256=BB01BB27D1BB576726DF65A352FDAF9FE0172B5ACA270BE4A0F4E26DCA87A8CB,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284940Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:48.410{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31728EDFF909C4BFB4ACE4D94F1F3B1C,SHA256=4349CCA83D843F80817F69ED19C8797D1521C99CA3E7B300B926FD8F6AF3AEE5,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214052Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:48.544{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1135414B3A534DEEA12FA445D04A45B4,SHA256=178188C1BAA717B7F176262413AC664B2CCDE8C3A9DD5AE29E054D8AF77D2839,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000214051Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:48.372{4F8D34B0-0E04-6216-F103-000000003902}28364016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214050Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:48.107{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0E04-6216-F103-000000003902}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214049Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:48.107{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214048Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:48.107{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214047Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:48.107{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214046Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:48.107{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214045Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:48.107{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214044Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:48.107{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214043Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:48.107{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214042Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:48.107{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214041Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:48.107{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214040Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:48.107{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0E04-6216-F103-000000003902}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000214039Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:48.107{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0E04-6216-F103-000000003902}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000214038Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:48.107{4F8D34B0-0E04-6216-F103-000000003902}2836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000284941Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:49.520{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=089A0D5C9FE3C0B8A9892DF125238F66,SHA256=742D86D90964A0DE63BE4D916AD0A1E595177C8D53152DBD2CDD16268BF1C8C9,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000214080Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.810{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0E05-6216-F303-000000003902}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214079Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.810{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214078Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.810{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214077Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.810{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214076Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.810{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214075Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.810{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214074Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.810{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214073Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.810{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214072Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.810{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214071Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.810{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214070Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.810{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0E05-6216-F303-000000003902}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000214069Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.810{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0E05-6216-F303-000000003902}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000214068Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.811{4F8D34B0-0E05-6216-F303-000000003902}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x8000000000000000214067Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.560{4F8D34B0-0E05-6216-F203-000000003902}31923964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214066Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.310{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0E05-6216-F203-000000003902}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214065Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.310{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214064Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.310{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214063Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.310{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214062Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.310{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214061Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.310{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214060Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.310{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214059Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.310{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214058Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.310{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214057Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.310{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214056Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.310{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0E05-6216-F203-000000003902}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000214055Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.310{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0E05-6216-F203-000000003902}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000214054Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:49.310{4F8D34B0-0E05-6216-F203-000000003902}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000284943Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:50.535{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC34F25F776A9A6AA185489BB0EB846A,SHA256=F1DDC3F356CB58AF0143C9F1D44B79C134F42A4755E3884AC8D705073162D4E3,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214083Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:50.325{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23D6DCCDD276B0838495FDD79D73044F,SHA256=7530635EEBC77B9C3AFCD3F6F6EC2D59217C4DFE48C55D242A71C3C81C2CBBA4,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214082Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:50.107{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B796000C04C0521A286C030EE5AADB0,SHA256=1C7015BC4EF194C745D05234913FEDB59FE860F8F98B055DF3E3CCF22C11992F,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000284942Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:47.513{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53215-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
10341000x8000000000000000214081Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:50.013{4F8D34B0-0E05-6216-F303-000000003902}27521904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214097Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:51.607{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0E07-6216-F403-000000003902}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214096Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:51.607{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214095Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:51.607{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214094Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:51.607{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214093Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:51.607{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214092Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:51.607{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214091Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:51.607{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214090Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:51.607{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214089Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:51.607{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214088Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:51.607{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214087Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:51.607{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-0E07-6216-F403-000000003902}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000214086Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:51.607{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0E07-6216-F403-000000003902}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000214085Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:51.608{4F8D34B0-0E07-6216-F403-000000003902}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000214084Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:51.294{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F7E7FB674C0F6A0A70FD3733EE95EB0,SHA256=C43F438145947A28A20809FAD2BF0274BEF42ACD51A7BF8C3C844722D3D686D7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284944Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:51.551{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F96400C9230BB435164D88F8575FF308,SHA256=6202642BF1F897D9A4703E7589D8EDBAB3F6C8C707DC213D25532527A450241E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214099Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:52.622{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E585F6E3B9FE3F74658462C1BAF89742,SHA256=0D2E289C7FA4BAC880920FC82FF5686D5354F3BAFE578A625FCAAECD2C43189B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214098Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:52.356{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBF79B0AD30732255DAAD62187082926,SHA256=5F9F8592CD1D4A34934875B77DF2EBA905B120E9687B3E6354DA743CEFAAD042,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284945Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:52.567{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5F6E6672796318DA0CB9064831192F7,SHA256=B0F0ECC683CB012A7EE937B06BCE43928BE6C45B19ABA1BB7C66EEBBFFA09AD0,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284946Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:53.569{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16158A008D97B8BF678061DD86591F4F,SHA256=9BBA95DD6427011C9B7219F3A77F9E3A4102B76020AFE627F02F4175E440A353,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214101Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:53.372{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75CD4F00D8A708092D24ECE2FB6DA046,SHA256=3658CF398FA6BED5E82B6883ADA3393755FE90B3BAC4A000C81A45FD3EDDD1CC,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214100Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:50.670{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51164-false10.0.1.12-8000-
23542300x8000000000000000284948Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:54.570{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D59FDE8558FDDBFAE2F41AF77160145,SHA256=7A5D286528C272E7058CD991D2D86CE53EB02D48AA99176D975B3BD28EE3C175,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214102Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:54.435{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B32004D7EB1C05A23F66A0A9BD591521,SHA256=CD048DB57233C5610B923E3FEE6CFE0C29613507ECBAD10CA781AAFA3E91C5ED,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284947Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:54.057{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-119MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284951Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:55.603{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDBBEAE44697ED2BE353AA18665ED5E8,SHA256=1DB79C72CC11702EFD45D55DD7257E0A868A5B6062327446B0EB0C1227D5B3A9,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214103Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:55.466{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26FF80B779311F54AF9EC425D4A60A75,SHA256=1EB3D4501A6EB39D51C8D0CB483555A3FE5065105489756FCA37DA8ECA4F932C,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000284950Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:52.716{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53216-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000284949Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:55.056{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-120MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214104Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:56.481{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=948C5472B521C634FA876B552DD43C00,SHA256=151D76DDE5B784B2286E88568931C1FAD0EC7EEA2A532A8821161CFBCBA62C9A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284952Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:56.619{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33BEE0FD95FA9CA05CB713C6EDDC5C42,SHA256=40D9867691142448507F647C2D47395C56575812B065D34C1B8D5F3CB836A597,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284953Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:57.635{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F719D6A5281122436F6B01C5B0F97C2,SHA256=AA8B8FE11DFA42103BDE33ADAC0B46251D0C563F29A8E55EDF70000AEE5290D8,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214105Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:57.497{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72EDCCB3F107BA5C7D0F101158B23872,SHA256=837506850018266E3D53919D2B1614E10A19A50AC571662AD459EDE2D6585591,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284954Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:58.681{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2E303F92389A2F1339F7E7F0E33BFCF,SHA256=DFBEEA1F158F5F9159A1324563E6EB2F380385356EB169B7B5EB8C0F87E4FCC6,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214106Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:58.513{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CFB0C67E22D27B48A88489BDA474481,SHA256=890F214E637F0BEDE30FAB29677BA0D68B94793BD5BCEF9D23FBEF27C821DFCA,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284955Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:59.681{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B6068CD883588B70BFF9F8FE6544993,SHA256=C0B9B72CBF62A03C26DFD29A08885C0FE5B768B7D0AFE75A54014FB20CE20D28,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214108Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:59.513{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B062B891EC8208953429EF1005271A9B,SHA256=E567A531DE870A0FA195B4B735088B4003F37EC78E1DD931CA7AD43A5E4D42BF,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214107Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:35:56.576{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51165-false10.0.1.12-8000-
23542300x8000000000000000284957Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:00.697{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=018791C70111C94E2C08409AF0CD9B65,SHA256=1565CCB22776DCAE84D922772C2A6AE97D3A3CAA9A61E3BCC418076F45DD44CE,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214109Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:00.591{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18D63200558C53F7DE5BF6AD9C6C724C,SHA256=B78E28F6B836079416D1BFDFB5551897A864086D2B929D1CAEDEB06728678E42,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000284956Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:35:58.644{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53217-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000214110Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:01.809{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=698497F77C89357834EB8C437D401CE0,SHA256=27514D819432E5B2FC5D4469A488EC44B569CEFF5F6BFEBD8F868756B6945541,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284958Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:01.775{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAC1ECFB3800E6C81A66EC8E8E081DF1,SHA256=E18871A2C71DEACD9A1762ED663D2793D2E2C1B9BA64069F1852E60333F9DD8D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284976Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:02.791{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0190B620A5DABE4012B4BABE3C95D633,SHA256=BF732F43EC01711D9B3C17CC1AF47A7DF99390D94CF584BBC8A6A46847980CEC,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000284975Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:02.635{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0E12-6216-9F04-000000003802}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284974Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:02.635{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284973Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:02.635{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284972Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:02.635{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284971Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:02.635{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284970Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:02.635{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-0E12-6216-9F04-000000003802}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000284969Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:02.635{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0E12-6216-9F04-000000003802}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000284968Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:02.636{C8EA50B7-0E12-6216-9F04-000000003802}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x8000000000000000284967Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:02.431{C8EA50B7-0E12-6216-9E04-000000003802}36046028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284966Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:02.135{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0E12-6216-9E04-000000003802}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284965Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:02.135{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284964Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:02.135{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284963Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:02.135{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284962Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:02.135{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0E12-6216-9E04-000000003802}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000284961Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:02.135{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284960Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:02.135{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0E12-6216-9E04-000000003802}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000284959Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:02.135{C8EA50B7-0E12-6216-9E04-000000003802}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000284979Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:03.900{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E90457DBA9A433A9A610778C1B57BE5F,SHA256=CDBE4BD8F0FACD303A0FEA6F84AD63983D9D12A371E98FA734C90D42F68EBDE7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284978Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:03.135{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37741C82D3DB099224988A969CB51E47,SHA256=40DAF4CBA507C3911E541C1A9C6F07234E83DA3B124F549188E7069AC880C39E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284977Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:03.135{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BCBBF1F78B567E843E34C5B2B903D1A,SHA256=B1053AA44FEFC84609BE053A9C4C77A583F20F0EA670A70775AC6AFDC213D26A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214111Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:03.044{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A82777DEB45522134FEFBCEFAFC2A00,SHA256=62C9354D0E7819BA647961E1A65C1244ED603BB3A4DDF2DD44A0DD3579E6E864,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214114Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:02.403{4F8D34B0-F11C-6215-1100-000000003902}980C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:20b3:19bc:f5ff:fef0win-host-tcontreras-attack-range-985546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server
354300x8000000000000000214113Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:01.592{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51166-false10.0.1.12-8000-
23542300x8000000000000000214112Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:04.138{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56BAF5FDA1B91EE515033721CFEC218A,SHA256=E74F92854F57C0B2D6C164254C9845963A1E46A51EB7130A3521BDF8AD0E3E1C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284988Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:04.681{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37741C82D3DB099224988A969CB51E47,SHA256=40DAF4CBA507C3911E541C1A9C6F07234E83DA3B124F549188E7069AC880C39E,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000284987Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:04.260{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0E14-6216-A004-000000003802}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284986Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:04.260{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284985Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:04.260{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284984Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:04.260{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284983Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:04.260{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000284982Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:04.260{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-0E14-6216-A004-000000003802}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000284981Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:04.260{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0E14-6216-A004-000000003802}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000284980Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:04.260{C8EA50B7-0E14-6216-A004-000000003802}6084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000214115Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:05.153{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=918ECD688290A8F872BD99ECC8C8DE79,SHA256=EF38D516FF0109A6BF1E9DA169238F8BF058DD461328A97ADBCDED1D795A0C1E,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000284991Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:03.081{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53218-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap
354300x8000000000000000284990Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:03.081{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53218-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap
23542300x8000000000000000284989Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:05.041{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9714D7BE21687A0BA4370182E19646E2,SHA256=BA8BC01379914A67CD69B3A1CDCB7F3434EBB1FEBB13C4F0A443543C7D6730E0,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214116Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:06.184{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=733FF75AF602151598A2E5778C80C010,SHA256=3CAC4FCE6FED8AFCF7DE79610CCD8BE8CAC819FCAD3B5950795EE730A0764CC2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284992Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:06.056{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD25E202393D810AAFD5B11E50E6DA4E,SHA256=D19B30CDAE3BD1163DF63C2B7D65442E852CCE978F2208FA762AA54B3B56CDEE,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214117Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:07.403{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FBC198F6150B82265D11D77096A937F,SHA256=A2C9F9E46E8A05B50AF87623C4CEA5BD9D76D347DB74FF3B5167C43C7FFB756F,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000284994Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:04.596{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53219-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000284993Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:07.135{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDAC9474A24EEABE42494ACD2E1ED2F0,SHA256=E8E3E936A97B9DF7F49FC579480259D59EA1856BE917CA94A0AEC6798FB55680,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284995Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:08.181{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFCEFEF1E5746DF32B3639273B156042,SHA256=CBB93A9FB221922E7D066C8243073AB3D01877549E23EFFF9B431116EF09E99B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214118Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:08.419{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F31EA62B7F8EBA4726CC735981E9DF9,SHA256=5C15874DB9CFCC5578A8D48110EB993F7B1BB0BC0F877B933714A2133B3BF7E7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284996Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:09.338{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48A02BEF10F4524A774AF3650ADAC10A,SHA256=B994EDEA1B65C5F2566BF1033C79C3BA4F24155CC0FA112A822C9834C18D8F40,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214119Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:09.434{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3FFBF13F937B44A896BD4A44AA31585,SHA256=06AD775F1C872EACC7340B2015AA6F1FE4348B0070234C5BB6FFFE3FC4B3C735,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284997Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:10.463{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09271817DB57022D1EC2B4719EA587B1,SHA256=94A77E7032D0AC59C3E2412250B452B550320E3772200F26DDCF896841D8B538,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214121Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:07.576{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51167-false10.0.1.12-8000-
23542300x8000000000000000214120Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:10.450{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4945FC835518F6A6CBD4632AD5213578,SHA256=AB5247147DC7C9838E559A334B9DE0EF256F92A2C29906ADC538FA00561FCFF3,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000284998Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:11.572{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73193CC8F3E0746B2079406D0AFBDEDD,SHA256=CE7425C28CD15ED2E9EB7B5A68E44D0F2B863A2BE509C75D1E3948959029757A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214122Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:11.466{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB657357F903B1EF93521D268AC66406,SHA256=23063356E91DD423E0D3C8AE04DCE99A93BFD091664C9F2BDBFD0FC2E3318AA0,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214123Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:12.481{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFA7C16E0EA0B086773D832104221D11,SHA256=068F2CD3ABF3A4667F63BEB240032D56AB2AC57B714073730371FABF0BF6E15A,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285000Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:09.705{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53220-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000284999Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:12.603{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=721A3698E23BDBB9967C03FFF25290A2,SHA256=943567030753F1218DB364B9B65E923CFEB7FFA62E43D37EF40DA47CCDADD452,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285001Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:13.619{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E96F477E425E46E2B461A919E6AAA1EF,SHA256=09D7271BFF2F5B60D0F539593C3FA393EBDF7D1846F5FD471FCA0AEFD833516D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214124Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:13.497{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07293859314DBD97D4078CC908189A73,SHA256=524B70381B02C6549ED4970C78202C68F0E1AC3C549BB1A6C6392003A484F2C1,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214125Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:14.513{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0E732353A1D14FCC20C4AA5D48AC38B,SHA256=8B68BC5C4C49B9FF1269647DB552649C6737D4F4C6E1FC9F522EDD38ABA46A7B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285002Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:14.635{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E967E8B8C3B67853D4396E82611C7637,SHA256=C5CAD94944881C61E6C4507B83755271DD7502AF9A81A67D9CA16B0852541CFF,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214127Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:13.607{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51168-false10.0.1.12-8000-
23542300x8000000000000000214126Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:15.528{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B315B8519D6BD51BDC7052928DF236C,SHA256=65AFECAB5CCB62700279EBB0FD17883E9E65A851AA20CC13FF8EA3760BA90ADA,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285005Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:15.650{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C58B39962770D7BF9F5CB22B4AF231C,SHA256=3566C218DC4207C31280AC16ECFDB122685CAF79AC16CDA6C3BCBF4BCF745715,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285004Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:15.041{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B71BF9B91D48810192A32E164AD9DB3,SHA256=30CCCBAA707C0B52C7F95B65B111F064369BB3F3ACBCFDB419A94B224BB31228,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285003Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:15.041{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B460961927BA616AF5BB2046CBFD6606,SHA256=B1BBF389FD47FDE3DA401ABB7178CA7F01E49DB83770980F49E78FCCD5AC56A9,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285006Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:16.681{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=888632557DAF3D65A062D4FCE4D774D0,SHA256=DBB5A995B8B75220670E3AFA2BDF84665E77232D1AD55853EEC59747D28A423C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214128Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:16.528{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FA876EDB95EB68869CA96991A8970C3,SHA256=CCE8F8F59F87B6DF63B9864F962AB16656C96C3D9810A8A13760816BA8AC4361,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285007Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:17.728{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A6D40EEFF48A31200CDF2C7A35AA47D,SHA256=D60D40ACAA332F4C01A5D9D7C7CB2F723A25602B83DB0A4CE4E1544046060C88,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214129Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:17.528{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2752315EE55D4AE1B4B85F2BD65D6AEE,SHA256=9A9F070CF8E7E421C3DF028B9958C0D8E04B8E6660648CD833CD192237C6C8E4,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285009Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:18.775{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8EF11398AD22F99873509A792737389,SHA256=50BDDF3B4084F6D8F51CCCBE2E0CCB0CB4DA4FD71921E39C6DEE0ECDFB8AF215,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214130Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:18.544{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26FEB05DA48021EF4EB926BFC172B5E5,SHA256=973B28A204F7BD02FCBFA6E6D1A3424095E80F10FF149F91C6535DA5FEB4D066,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285008Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:15.612{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53221-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
10341000x8000000000000000285019Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:19.900{C8EA50B7-0E23-6216-A104-000000003802}55641076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000285018Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:19.838{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06E0C77AF1C08C9B4CD20441E39AC2A9,SHA256=395A2F8EE92DC202576CE713233E09C166EE7517193B2BF7C7E63E62B1F3206F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214131Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:19.559{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66798FBE7A16598EAF0F41990867DA1D,SHA256=708EBFF4E1D117AE8B9AEC0861B8E2D2ABD9E13258A218E40EEF929FE2736BDC,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285017Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:19.541{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0E23-6216-A104-000000003802}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285016Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:19.541{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285015Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:19.541{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285014Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:19.541{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285013Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:19.541{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285012Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:19.541{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-0E23-6216-A104-000000003802}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000285011Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:19.541{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0E23-6216-A104-000000003802}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000285010Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:19.542{C8EA50B7-0E23-6216-A104-000000003802}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000285040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:20.853{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=591D9FCA042A8760A5F45B4D1186B357,SHA256=99463F90C7FEEED24B9E7F2AE4827B394A7F9760D63C5C980CD84113E17B8493,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214132Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:20.559{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=208895BCDB09C8284520E3B5ABDB713C,SHA256=925871A787EBE4AF0577002264BE91263CBBB7327E42047892F50F9A04A0EC9A,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:20.775{C8EA50B7-0E24-6216-A304-000000003802}60085476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000285038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:20.556{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11774855B586872AD4CC1B93483A5B92,SHA256=5D83CD8640F290CBB89E093BE751FCA64E72F686F543E9507ACF1C7AE6BDC5FD,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:20.556{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0E24-6216-A304-000000003802}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000285036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:20.556{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B71BF9B91D48810192A32E164AD9DB3,SHA256=30CCCBAA707C0B52C7F95B65B111F064369BB3F3ACBCFDB419A94B224BB31228,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:20.556{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:20.556{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285033Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:20.556{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-0E24-6216-A304-000000003802}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000285032Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:20.556{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285031Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:20.556{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285030Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:20.556{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0E24-6216-A304-000000003802}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000285029Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:20.557{C8EA50B7-0E24-6216-A304-000000003802}6008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x8000000000000000285028Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:20.291{C8EA50B7-0E24-6216-A204-000000003802}10602236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285027Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:20.056{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0E24-6216-A204-000000003802}1060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285026Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:20.056{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285025Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:20.056{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285024Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:20.056{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285023Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:20.056{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285022Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:20.056{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-0E24-6216-A204-000000003802}1060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000285021Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:20.056{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0E24-6216-A204-000000003802}1060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000285020Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:20.057{C8EA50B7-0E24-6216-A204-000000003802}1060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000285050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:21.869{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D542DE98798D07CEF409DA932A7A2A5,SHA256=EC93B1CABC57ABB2DA8ECA1D7FFC185CF3712CDAAA0B041DD4B1FE0F01DF7DF3,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214134Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:21.575{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=059C70C88B423A93BEFD694557471B39,SHA256=648D1199823CA82B811A2AFF1E781990526165AE55CE50630775B3F818B13AE4,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:21.588{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11774855B586872AD4CC1B93483A5B92,SHA256=5D83CD8640F290CBB89E093BE751FCA64E72F686F543E9507ACF1C7AE6BDC5FD,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:21.056{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0E25-6216-A404-000000003802}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:21.056{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:21.056{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:21.056{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:21.056{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:21.056{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0E25-6216-A404-000000003802}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000285042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:21.056{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0E25-6216-A404-000000003802}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000285041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:21.057{C8EA50B7-0E25-6216-A404-000000003802}6044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
354300x8000000000000000214133Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:18.654{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51169-false10.0.1.12-8000-
23542300x8000000000000000285051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:22.916{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E21137A725CD10A25ACE5483CBEB41DB,SHA256=B5D0FD42E2A22E401EE530685C6F35D3C4F3EAB29DCC668FD29C85F03A684427,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214135Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:22.590{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53A6F56B5FC62B8A72231F69D78DB6D4,SHA256=CE9C12629145644CDE63E0494E1213F8702CC7BA1770012B064AA78E1F83209F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:23.931{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F413916F92777789BB57382B8962A3E8,SHA256=025B70A97830A2102EB1D1B45F274EBB94431552538A5874B737A266AD687FF0,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214136Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:23.590{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DCE1EC3C9D534F61749F7EB71F7C13E,SHA256=E2AEDB8426831B1C733242E87AE8A4E2679F6DC008922388F5185008CAB8A6EC,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:20.648{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53222-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000285054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:24.932{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0DE3563C0F21576EDBFB3B67C9F4041,SHA256=89282BE776E68BF0C23534710AB930049B14E51187C20FF07B8A8A080F91D70B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214137Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:24.606{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64922719F254CAF89EFE27DE2D9A7A9A,SHA256=C010508D8D12548C84694D01068F0B631747ED27E177863DE7BB9B8A99F71F3D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214138Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:25.622{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B4CE96FA2D97ACB9BC408EB0EEA0A65,SHA256=390C940BFA4961DA6DFA57CBE496B39B46E8316C9AAAF9D08FA96D03CD5B415A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214139Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:26.622{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26385615025BC1F961ED6FCB92A6AA22,SHA256=7C248D32AB80D3BD1D959169F207EEADDBE12DAF16D1B44B8DD1D7E249C75A1C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:26.103{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=954C820D0B4629B575950288C56F3F0E,SHA256=12D2D9F23B1164EED3473D313AEC1EE0AF45B6DFEF8F615656AC555C92FD5FB7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214141Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:27.637{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7BE1DCB7D011AF12DD88C4CA92F6F0D,SHA256=62DE3FBFF4D57F748C66148440F32B540406DCC10EF49DC41A793F695AF0B992,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:27.119{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7BF177936C5F25CA35DB3B6FE729A3B,SHA256=12E75E3A875B5B50A45404D37273A5DB909F035BD39899858035073FE2179911,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214140Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:24.654{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51170-false10.0.1.12-8000-
23542300x8000000000000000214142Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:28.653{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51E0307B67638152E3E4AB320E866C0D,SHA256=8D432508FB2C581A8CBB6F6ABA503998E23176472DBAB543CD536A4B18CD0489,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:25.721{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53223-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000285057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:28.135{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=590D8F3B84AD7FB0DF2C27FDE8EE6000,SHA256=282E821FC6951836A2DF72B45661B81AA45964FE2D4467BBEA08A4F78F23D7FC,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214143Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:29.653{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4307972BE59C600E37EFF1FEF00C9600,SHA256=2DBC89918A00BB42F1957F59F5B69CFE7758C787552A42F75E45006846505C85,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:29.150{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5879099E7720A7EC9F670E42601BD061,SHA256=1B262428E4FF28DA13E6EAEF07536B4FDC1528AF2DF458BE9A22106DFFAF1B95,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214145Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:30.668{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B476838679D584F35430BD413A35B9A,SHA256=AEF5D055123584C70A317FD7BD6403011FFF25E5C2D62918345033FA37FEFCDD,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:30.166{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=304DFC5C5A3A7247432B9BC97F2DF114,SHA256=9AAEDA8B452C2D7D0CA90A8E91CF83B3D5EFB371E2B4F4CB42596A8D2C995F44,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214144Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:30.231{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D0E819179D4D1BAA6C062A31D169E73B,SHA256=82DF7A0874837686007689ED4331538CF761EC0163A0BFD38A7CC854AC58A670,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214146Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:31.684{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DA0FC569E9CD73B4BE5BBA35C7337A7,SHA256=6D187AAC24FD7DF67F1B5C2F0F2A0636E94FC419A97F15AA31FA95885F0655B7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:31.181{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52623E082C1660263873C0E448FA4D64,SHA256=9611D6CEF6B55B5558A4677D1735DD26730FC2C4E5D6C6EE2D6A644FF2A6BDC6,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214148Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:32.700{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87CB041E1D85ECA2FE5A5B98A98FFCF6,SHA256=09CDC4C3905C5CE2BAE19463A461C853A1D2DD5713E220D8CDED0D18321BA10B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:32.197{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEFB1817D6B051CB6F843ECA96C1C2CF,SHA256=796DDF9E6D93E7D073F5718F38BB6D5F3CFBA5D6B28E0E97DA14BDF1B871AEAA,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214147Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:30.545{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51171-false10.0.1.12-8000-
23542300x8000000000000000214149Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:33.700{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3638D21197FDAE1D67AFA7DBF6777486,SHA256=530C15F98B9E4EC2E3E05C33BF628329E5CCE3C0FCBF87C85265BF826E24908B,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:31.721{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53224-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000285064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:33.244{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=97E8091A3CA3A81AEF94806DA993D5A4,SHA256=B9DFB5F6693D53FC64E479A7A01812B882BE5B2BCAE980C9FC2371A36503905A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:33.213{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45D01CAB704F8B4C3EC6928DD74A52AA,SHA256=DA957F76FBECBE21556722B478D99F0E8DE4F4576CB014C7BDE0FC6A29951DB6,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214153Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:34.746{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7087DA270121809448125185ED4D59C9,SHA256=4E8E297AA09FE201FD4E1D813E629EB4572E1E00A8B58460F9ACD24A8E6E40E5,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214152Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:34.746{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5EBC485013627209AF4ABCA2CBEA3A1,SHA256=C0D205E42CE0AD4FA32F55DCC52C5DC1DBB6297062F65CCE75C078BAA7CC1295,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214151Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:34.715{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F88588108870E8DC5E0ED84EF9C2EE2,SHA256=F68C37FA10120944A79C75FC94622310114B2D5AD1F662765FC038AEE91C286F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:34.213{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B48D1B9CF5D41CA4A7C84C084F47D0D8,SHA256=5C938F72B746AA8FBC23627F8D9DCEF6DD1C8C39374250EF2F8242449908690A,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214150Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:32.372{4F8D34B0-F11C-6215-1000-000000003902}940C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse47.242.107.32-63661-false10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal3389ms-wbt-server
23542300x8000000000000000214154Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:35.731{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=396FC0BD9239D052E500FCB88AC611A9,SHA256=A68AA1C44D0E2B57BF953F0E7B4B3D151394078B2DD2FA44763BCA9264F26DC9,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:35.228{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=835A4301513399F9321101AC87B670A8,SHA256=EC74F9B82F64C7147B109DC314F47D5CC7C34033DE8733AA746B3BBD6EF1F5E9,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214156Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:36.924{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-120MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214155Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:36.732{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=424ABE0708F5C197B4D0625EC4328E08,SHA256=6BEC62A52530FE542DF65A7DB2F6FDC13CC56660530012E6AE013A755F8F8043,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:36.260{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B93144685E1F63F664626BCCF35B8B33,SHA256=1FE47487A1D14862520AD96944A6F1AC091BE66CBD80D00D1C07B6B108CD37DC,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214158Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:37.922{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-121MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214157Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:37.734{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EA730966AF7BC4BFB802B47AD383298,SHA256=89A61A4E4703E35A00764F514D3817312A1EC681D6C8A50BA1632FE27E3E0358,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:37.306{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7C9FF44208592B200F3AAED4FAA04B6,SHA256=16DB5DC96F8D9A5EB3A5389E6256CAAD3AE4A6EA99F483DF1BAB81AA6E069ABC,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214160Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:38.748{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D41D42955C388D8925B81FAC7CBD31BF,SHA256=63C8ED574A8FD7903B99C1535EFFA2FC11DF4F666B53E486D793AA5F1CED14A2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:38.353{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76865FD5357A4649F5224667BF91B1DD,SHA256=E8C346DF3EB44F552CDC11B7DE6F9A470F016014492ADAC1DBC4DD94FDB43FCC,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214159Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:36.563{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51172-false10.0.1.12-8000-
23542300x8000000000000000214161Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:39.779{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F399115A05719B53571E829BA38A4A3F,SHA256=D5241049C43D422E1C389B801F7392377139C1B0DE9BF9AC46FD551AA900283F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:39.431{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:39.400{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=241D5148AA18BB17EC0A6BF2D8A9F14D,SHA256=8D714F61D4386889EDB1EF56B77318D6D56AE68670B6F7D833C6694FBDBD9962,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:36.737{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53225-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000214162Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:40.889{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC3FF2B85776BB6D99DBA88A918DC73B,SHA256=0B7D0BFF8CBC399C125487A700991098F016B50B6491DAC57924DA742F5DB922,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:40.510{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF202C3687ED7D265C64C2B30D227F43,SHA256=019C2D151B09E029A6E98A29BC95ED77D557D5DA315D3D48E3709843C6AE87E1,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214163Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:41.936{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3E2BD36082C17A81D8C1394D6062A7D,SHA256=9E4FF861C7BE66CC1C3C7064D86D525C4EE90421BE31AAD4A615F8C0EA0764F7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:41.728{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AFF73A003C61A3C3E317A46F47D0239,SHA256=EE8AA69BB9F28AFFE56BEDC501491322DB5EFEE5F5248C2CCEC7AFE4D2452E19,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.431{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
354300x8000000000000000285076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:38.893{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53226-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089-
354300x8000000000000000214165Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:41.687{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51173-false10.0.1.12-8000-
23542300x8000000000000000214164Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:43.076{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D24FF53E6199E174D4B82C5882529324,SHA256=E4CD05FFECF7B04FE0F95DF92646AB540D52DD91E5E6698477DFCBD179883CCF,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:43.166{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34D14B5A8BA23962023235C9122EDBA2,SHA256=B18BF69B5A9C98DF5684BBCCF2578A0BFF7562988702FCF664ACACA41AF6404D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:44.166{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BC30A753828539C58A5F140D9C1EF50,SHA256=12CF3B2F271A843C5F91E6745488BD81525851F55C3488A92F597EDEC29AC56C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214166Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:44.154{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C401CC0D3B37A29F7A954E5C19662D29,SHA256=699E45D2E04CDEB107EB76179C3530ABFFDB8921D42DE5831C145C838AC69179,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:42.502{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53227-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000214195Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.670{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000214194Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.654{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0E3D-6216-F603-000000003902}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214193Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.654{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214192Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.654{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214191Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.654{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214190Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.654{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214189Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.654{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214188Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.654{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214187Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.654{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214186Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.654{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214185Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.654{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214184Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.654{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0E3D-6216-F603-000000003902}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000214183Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.654{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0E3D-6216-F603-000000003902}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000214182Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.655{4F8D34B0-0E3D-6216-F603-000000003902}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x8000000000000000214181Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.436{4F8D34B0-0E3D-6216-F503-000000003902}29723392C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000214180Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.202{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83225359077D4DBF9EEC1C0974CAE62D,SHA256=510D0BB9016D7ACEF26921816C9D815AAC078E748EE9F505D9C381F15CE32A2A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:45.181{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ADFF76110906D3EA7975384F4B74C3C,SHA256=7D48528CCF6B17267738A4A6416DB70FD8603415D91F3B4DD7211356981AFA00,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000214179Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.139{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0E3D-6216-F503-000000003902}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214178Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.139{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214177Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.139{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214176Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.139{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214175Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.139{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214174Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.139{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214173Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.139{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214172Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.139{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214171Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.139{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214170Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.139{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214169Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.139{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0E3D-6216-F503-000000003902}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000214168Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.139{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0E3D-6216-F503-000000003902}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000214167Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.139{4F8D34B0-0E3D-6216-F503-000000003902}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000285110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:46.213{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B2A2A325BB227DDC90357C4CD684CE5,SHA256=D2D66A62924938C743EA80DBCED466BA6DDAB4E25EDFBDB23373966D319AB4B3,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214198Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:46.451{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56EDEAD4B085EF0176E48080891777EE,SHA256=24675AFB4524D60450851357DCCAFA721D9533F7710203A4244754A4E0FABC11,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214197Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:46.373{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECB2C2407A23E9EEFA0BD5301C342C18,SHA256=868D93EB4B639020048FF2406FA896EE93507E50F6B9ECD55F003F8D90BFA41A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214196Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:46.373{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7087DA270121809448125185ED4D59C9,SHA256=4E8E297AA09FE201FD4E1D813E629EB4572E1E00A8B58460F9ACD24A8E6E40E5,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214214Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:45.093{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51174-false10.0.1.12-8089-
10341000x8000000000000000214213Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:47.607{4F8D34B0-0E3F-6216-F703-000000003902}3304608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000214212Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:47.467{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C57F3E682716608C0A321881FA41AFAE,SHA256=1E5223D628184EEE37D9168F6441D9CA2CEEEC3EAB480BA9413E68D81DCD122D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:47.244{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=449ACBAC855DCCB7FED8810BAD14A066,SHA256=1FF8B4AC8D6A9C8B85DDC13A160791B15830F6DBCFCF8E5CD11070A2C39FA5F0,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000214211Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:47.435{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0E3F-6216-F703-000000003902}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214210Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:47.435{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214209Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:47.435{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214208Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:47.435{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214207Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:47.435{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214206Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:47.435{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214205Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:47.435{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214204Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:47.435{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214203Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:47.435{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214202Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:47.435{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214201Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:47.435{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-0E3F-6216-F703-000000003902}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000214200Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:47.435{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0E3F-6216-F703-000000003902}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000214199Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:47.437{4F8D34B0-0E3F-6216-F703-000000003902}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000214229Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:48.623{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECB2C2407A23E9EEFA0BD5301C342C18,SHA256=868D93EB4B639020048FF2406FA896EE93507E50F6B9ECD55F003F8D90BFA41A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214228Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:48.482{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FFBA2AA1C143F636CF2978F06005CBB,SHA256=D29030311EC5887E53FE7851476A4D7468BBCF44367403EB967CBB3263777467,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:48.322{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11FA21B9C9B96C3EB7665B3A8EDC6342,SHA256=230706954FF6FC666549A2D7DEB7B82B2A4DB48E3A7594682CC9996AD366A894,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000214227Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:48.107{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0E40-6216-F803-000000003902}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214226Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:48.107{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214225Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:48.107{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214224Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:48.107{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214223Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:48.107{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214222Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:48.107{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214221Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:48.107{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214220Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:48.107{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214219Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:48.107{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214218Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:48.107{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214217Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:48.107{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0E40-6216-F803-000000003902}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000214216Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:48.107{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0E40-6216-F803-000000003902}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000214215Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:48.108{4F8D34B0-0E40-6216-F803-000000003902}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x8000000000000000214258Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.982{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0E41-6216-FA03-000000003902}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214257Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.982{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214256Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.982{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214255Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.982{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214254Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.982{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214253Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.982{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214252Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.982{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214251Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.982{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214250Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.982{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214249Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.982{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214248Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.982{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0E41-6216-FA03-000000003902}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000214247Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.982{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0E41-6216-FA03-000000003902}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000214246Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.983{4F8D34B0-0E41-6216-FA03-000000003902}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
354300x8000000000000000214245Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:47.641{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51175-false10.0.1.12-8000-
23542300x8000000000000000214244Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.529{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC2FF6479931722D43C8D6DF850FD269,SHA256=4DADCC81500FAA4ABB375032175DEA8DCA0CAFFAF53D39FEC9C89F72344FAAC8,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000214243Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.498{4F8D34B0-0E41-6216-F903-000000003902}18323416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000285114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:49.384{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C416CDE454B538134428AD9F063FF5B,SHA256=63E294E5DD433A12FC9E9507DE1B3479701A00BCBB7830AA4A898132885977D4,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000214242Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.310{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0E41-6216-F903-000000003902}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214241Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.310{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214240Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.310{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214239Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.310{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214238Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.310{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214237Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.310{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214236Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.310{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214235Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.310{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214234Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.310{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214233Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.310{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214232Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.310{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-0E41-6216-F903-000000003902}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000214231Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.310{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0E41-6216-F903-000000003902}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000214230Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:49.311{4F8D34B0-0E41-6216-F903-000000003902}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
354300x8000000000000000285113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:47.598{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53228-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000214261Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:50.701{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67986B851689177C409EB2D5FE80F4B4,SHA256=E209BE40C7B38C341348EAF51B96E385198FAE243C4EF048BC03420A06D62F2F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:50.385{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10BFAC011B56F2D75F51FE8A880D018B,SHA256=FE9F78BFF4356DE1FFCA350A55BA373F62A06EFA455535A2DD84103E081862FE,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000214260Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:50.326{4F8D34B0-0E41-6216-FA03-000000003902}7123588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000214259Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:50.326{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9599B40EE9602D126EB1F7FAB98B8AD2,SHA256=7EC43BC32E4C5B0E0C86FA4C21A3714A6B568AB8BB72E57EC509105990F62C15,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214275Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:51.701{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A780DB2FA90DF634424273EEBE5FE722,SHA256=C502B86231DDC030B44572A3EE5EFA7736D6B3F06A4FC67BC127AE36C6ACACA2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:51.416{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1B1804263BDA8ACCA91407D0FDA946B,SHA256=1CD78AF9C142DF20D00960E62A2A1C3EB654FA2A87D81BD4C7763E72ACECD31C,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000214274Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:51.607{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0E43-6216-FB03-000000003902}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214273Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:51.607{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214272Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:51.607{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214271Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:51.607{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214270Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:51.607{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214269Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:51.607{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214268Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:51.607{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214267Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:51.607{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214266Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:51.607{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214265Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:51.607{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214264Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:51.607{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-0E43-6216-FB03-000000003902}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000214263Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:51.607{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0E43-6216-FB03-000000003902}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000214262Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:51.608{4F8D34B0-0E43-6216-FB03-000000003902}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000214277Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:52.826{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5224D3323F176DD7EBE1E736AB7E2B32,SHA256=3D30E522CAE6302B392C5F21E78D9AAF1697AC19891F5F27551EC2051F8891F4,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214276Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:52.748{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9C27B828A687CABC55EA88047101276,SHA256=268D143E2140262E5360C0D14C6A2F727ED43150C0EBA2DF2282BD9811A25FD3,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:52.431{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88B629AEA250E3AC57D4F9BD92AEB32A,SHA256=C1F972C69DC7A941E7D1AA85D6EA0DB8901BB5F90B983684A4328D8EA2B2EB42,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214278Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:53.763{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E19BBBB7696A35DECCA0E4B51BCBFED,SHA256=5007B30A0BD553622A36DD0D4E5D526E20FC560EEB4850F7F42A5541B7F04AD9,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:53.447{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89381D7948C5B6C3F006442701055DF0,SHA256=3B3EFADA8ED901652EA78DC1389ED5516A3BDEDB6AAE31804CE7EA5E9D1937DB,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214279Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:54.826{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7042932F3E738DFAE4D0DF548A352CE1,SHA256=31BCF174ABFC1AA37530FD6415A228DB0FD83841F95976049DBE84DD6F870BB2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:54.478{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF80F9394BC8FDF547E856B293B8A597,SHA256=3CB8B89A8F54C8D573D3977BF65056B454AD3363337D6FA14D7E8604FB3FD6FE,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214280Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:55.904{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACDF336185FDCE31F4EE18290DE5F0F4,SHA256=4360AE0C28BD26F278DBFC4D67DC2602F1E0B6E8A83628CDF93B12A42BE81811,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:53.627{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53229-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000285121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:55.575{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-120MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:55.526{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2FBD3B467C169825E96B766BA5F1F78,SHA256=501606DA0BF5964BB35152C85DC4F63D905A586EF2F88831A79A2DE7C90AE24D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214282Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:56.904{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A87322D4963A77FF5C5F008F623A056,SHA256=02FF5CB569D3F29D5831E009E4D23BF48D7D2B39A2CA46CEB5E8C18C71E30D86,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:56.590{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-121MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:56.542{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C273BA5BE01415AE81E1F4E50CF1F4D5,SHA256=DE9D2B5D519AC20F6A92B7FEA76F81842838BA2D3EF0F47146BEA9C09890FB68,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214281Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:53.593{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51176-false10.0.1.12-8000-
23542300x8000000000000000214283Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:57.920{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2F5934E65EAF3F675A00C144E16885E,SHA256=66045B52A6B8FD9D88D00C96050B7110C24253AB1724590A6E220E2FB75F1E4A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:57.622{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7FD962209191DA433926082FAC4ACBC,SHA256=97CF4BAF71FA14BC411FECC70A0AE0A983FA5CEE91383566D0654B055C711EEF,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214284Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:58.920{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85598CA1BA3C6A5CB36EBA0515388D30,SHA256=2825CD2F514AA12F9EA4FE942E71ED35A7C02EC9BD42CF1B04CA8DC8A8FA0A14,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:58.638{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=656B1153E7ED00D0CCCF8F655F946A0A,SHA256=50CA41A78F400C21FB8AEB44EF92DBA14D80379A410E4EE859E8B16409A2B303,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214285Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:59.920{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE4DBFB63926C2522B858E55F7E0F64E,SHA256=72838F5E340AE943D3A7AC078A272E2346A033799F82E844434500DB53D30889,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:59.669{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E3F2D981D3B87FD0EE4922B0FB5250D,SHA256=BB3772A9A1D8615E36F4EDDC06DBA0011AF8FB18A64C491D454BDBE64B48DE86,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214286Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:00.935{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5DA5E9DA9DD3BFA4F9A2B7DFB2DAB73,SHA256=C92855862C5A0FC9C763E2627CD59581FC95DE34F8F817E469BFD930E166281C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:00.685{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5D7E010AE308C6CC115A081A571BB42,SHA256=7BD15A6FF2EE454BE58721D54847BB4A295B5209A33A15D93C7AA99F73FD8E6F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214287Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:01.935{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B9B8ECABC9385D845E5E9893ED5D3C9,SHA256=E91021800E551D4136B1343DDC0222376612FFB4ACE968558F9777BFF07C8DA0,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:36:58.646{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53230-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000285129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:01.685{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D29C07FC978671082A2DF16773906145,SHA256=9E227091D2228A2571E90C6D0BF36FB6FC4C824F7863FBBA1727C2026DD4E460,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214289Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:02.951{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E64CDBB88C5B68556B03A971015A03E9,SHA256=F4E2A1E4AB6F4F4B72B56F01616B6025E7961AB9D68540FD91363CF4FEDA71A6,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:02.716{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DFA6B5F2A3681371229AB9893499499,SHA256=E435745785E3E328CC6CFB72CF5EAB8849671F881C4608E76226345ADE5DE883,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214288Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:36:59.499{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51177-false10.0.1.12-8000-
10341000x8000000000000000285147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:02.638{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0E4E-6216-A604-000000003802}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:02.638{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:02.638{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:02.638{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:02.638{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:02.638{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-0E4E-6216-A604-000000003802}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000285141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:02.638{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0E4E-6216-A604-000000003802}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000285140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:02.639{C8EA50B7-0E4E-6216-A604-000000003802}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x8000000000000000285139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:02.466{C8EA50B7-0E4E-6216-A504-000000003802}5948172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:02.138{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0E4E-6216-A504-000000003802}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:02.138{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:02.138{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:02.138{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:02.138{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:02.138{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-0E4E-6216-A504-000000003802}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000285132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:02.138{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0E4E-6216-A504-000000003802}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000285131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:02.138{C8EA50B7-0E4E-6216-A504-000000003802}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000214290Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:03.951{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3DD3C677A657BDB8EAEDEC740AC545C,SHA256=F0DCE57771FC0216F2C1BBC8EFF0EB93D5BA26FD060DF40B9513FB9EEC3BE29E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:03.888{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38055CD9B8A69EAAFE7B2C2C04C801D8,SHA256=14577935BA2E5F9875E187C55C3D7FAA2B4A849E8912C3F47F95C043ED0BD924,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:03.153{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2484E7A8C8D2ABBC5611A964F4637DE,SHA256=4367321519DECB9A1E6562B713D9A6A931D3AF52AB33014EB19B2B26F71C722A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:03.153{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D5D9A74843A6F5975F7D44B1480F340,SHA256=D3A73557918C2775592D77699F77D84E63AA38D8FEDC5B3A651CF79F3AC607BF,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214291Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:04.966{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCD561D57B414DE4FEACD85934C627F4,SHA256=7E719E4F75E29ABDB6ABBBAE1540A56603D8FB1B0F85741DBF02037FA092F92C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:04.903{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70452712DA455E9257C06A0C4501E1E6,SHA256=2CCDCDBF3D75715FFC6045D02DBC968F229DC6177C971D06DA6187E9F9498FC9,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:03.099{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53231-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap
354300x8000000000000000285161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:03.099{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53231-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap
23542300x8000000000000000285160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:04.653{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2484E7A8C8D2ABBC5611A964F4637DE,SHA256=4367321519DECB9A1E6562B713D9A6A931D3AF52AB33014EB19B2B26F71C722A,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:04.278{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0E50-6216-A704-000000003802}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:04.278{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:04.278{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:04.278{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:04.278{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:04.278{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-0E50-6216-A704-000000003802}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000285153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:04.278{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0E50-6216-A704-000000003802}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000285152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:04.279{C8EA50B7-0E50-6216-A704-000000003802}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000285164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:05.935{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2739C4A08CDDCA908E106EE85A48D2B6,SHA256=161D9379F4D8D61B7FB876AD79DFB23DE14CD0F194B297318395FFBBD5EFD2ED,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214292Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:05.982{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBE3EEB7F16300CCE15FC093FD188E26,SHA256=54B03758057420F28676464A60A8EACA4B64FF66BE6BC77E46DEA04C0A149F37,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:06.966{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0FA24DE7CD778EC70BE765135592517,SHA256=81646BB0FEFD5AAB1BF79808CBD105A95F29517EA3511393AE8B66BBDCCA9ED5,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:04.630{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53232-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
354300x8000000000000000214294Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:04.515{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51178-false10.0.1.12-8000-
23542300x8000000000000000214293Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:06.998{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA93E4CFF3E2A34C1F55490E23E3F418,SHA256=95F1A131E1BC4A6ABD1A5AC0256FCF812955CAB86938DCCBE90B89A54948F876,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214295Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:07.998{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C31FC9159DC717244B8A05000E065F2F,SHA256=77150E35EF61C821894389834494CE32B481E6B52A398BF1B64CE7162169E33E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:08.013{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5C834630AD2E7B1F4EACEB9AA7632E1,SHA256=D82C57BF1970A5AD14E32B4F106F927FCC103B91534BB51FF0AAE038782DC06A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214296Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:09.013{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAD5A62905389916715934EF3F73A934,SHA256=3D775B1F75FB0594F0B4EA410A125E42C1BF2206EAD5DE55D2A95436B7EBAD7C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:09.091{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAE02B95EBBADC3BA357B936D92796F1,SHA256=6FF4A6AD2178D1D6A55B7363E01AED570AA77F41F542F567B647C32503460B68,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:10.106{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A309640D8F1C5D9E46F3B170CB47B371,SHA256=3098B00648F9AA04CCEBEBE1B25FE4A2B55EC35276B99E603E34EAA5B88B9165,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214297Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:10.045{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7B85504EA862FEA314F6BD57D09ABA9,SHA256=FD184076741E75D190175B7BF169E1F0CB7CD7AFD7564D4E31BBDC12CF7B1214,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:09.630{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53233-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000285170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:11.122{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=005A804D114CAD0E80E884FFC6205181,SHA256=2B8A9D97486D719791491DFC45ECFF59B82267685625AE43EE4856B62CA0E37E,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214299Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:09.562{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51179-false10.0.1.12-8000-
23542300x8000000000000000214298Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:11.046{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1281117A0F77900E2AD74AA12C5C9219,SHA256=78EC81133F2A2F3A434D285F358D3715BE492DCBCE171CDD562F122A8537240C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214300Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:12.076{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9826CEA6752B36F8025973D1FED6103,SHA256=D8FC86F1C9703492234D34AB381C639D72F33571E01831DB136DC34B3A408697,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:12.138{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=381145C28D700C5E7D69BF44DEBC9AE4,SHA256=4FA763F2CE32E507372B2B730A4B9B9DD512322F55AB1927B00B33E90608A5CA,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214301Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:13.294{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=901F1FA25A15C319AB8F91AEE06ACD1E,SHA256=FD3E8817B67F5F404A01386F58DD9FC4018E62EEDC14C3057C3D8E3D3705917B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:13.153{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3702FB999A3C7BB3670743CB2F2D4D94,SHA256=253E8E6E80C66C36A24501C1A01F7750EF12B804F0E515B2AD83A3AC5FBFA351,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214302Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:14.341{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEB6FA1E0068CD13CE69561C572AF5DC,SHA256=6123E59523DB7761F896A44CDA5A10E03DF4830CC9A258BEC9F7CDBE146E6122,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:14.169{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9601A4FF63EB8CC337375B5DAA376ED6,SHA256=94AD7E9DC89103BAC3058A34673A2FF733448BEC1A830FC3B354E80FA6D24690,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214303Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:15.482{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=087A09DCCB45AF4B9F3CC89339F97C0F,SHA256=042738DC78FD487742F86E0CED39C0959125AD071B00D96F04088EB0DAB8CE35,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:15.294{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F09E9FF1BE39ABF02D998DE395D37DC,SHA256=618F6EBBE3F61C727AE66A2A0D273696353E346E0CE7CD5DD626CA528E91C76A,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214305Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:14.660{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51180-false10.0.1.12-8000-
23542300x8000000000000000214304Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:16.607{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D2DC245F7D65A5104A7A0D86A40AE8D,SHA256=B3BB117842BCBC5A5EF40BD94EC119DF7C7A9019B233AFD3F9546E451CB81817,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:16.325{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F75BAAB81DF35736EEB874059A981EA,SHA256=081DA7D04358DFA752BB5B9399717DE691590AA08D743E5171FAAD857F3FC9E8,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214306Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:17.669{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6182B7324B26A74157BEB4AB5F30C7D0,SHA256=4FA6C1B90DF432BE63352654C94C898B2B206134F7871602CBDCDF208AB08691,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:17.341{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED9E5AFFCF3F0ED2B9A98E1E60C3990D,SHA256=C1651D9DC25113B05BBE9ADF51E467497A1B0DD362C19CF10A0853F4A9AFDE2E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214307Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:18.904{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBE9DC1F132BB27ECCE9AA9211A8B78C,SHA256=B0B22AB86F0A1A9FC96989D79A3ACB736ED069D1F825538BD062A8BA1206C458,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:18.435{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92DB0B6ED1414ACFF8983E31DB4A4419,SHA256=399E771E0AD5552BF1BCFF90E88A7C170B04E9F3693869D4F8474A5DECBF66F9,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:15.583{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53234-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000214308Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:19.951{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B82092F1F79E17DEF6A0764BC2A66596,SHA256=DF6AD45F8DEB2286B78B2929FCD9275BF6AB4C6C929341DAFB8D25BDD77AF42E,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:19.981{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0E5F-6216-A904-000000003802}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:19.981{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:19.981{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:19.981{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:19.981{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:19.981{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-0E5F-6216-A904-000000003802}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000285191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:19.981{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0E5F-6216-A904-000000003802}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000285190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:19.982{C8EA50B7-0E5F-6216-A904-000000003802}4824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x8000000000000000285189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:19.764{C8EA50B7-0E5F-6216-A804-000000003802}2372420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000285188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:19.497{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=486C304911DFB5A835286A1E3DDEB545,SHA256=DD3B66A6E1061BFA79312109B7A463357030F32B59B8CE91E054655EE8156259,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:19.481{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0E5F-6216-A804-000000003802}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:19.481{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:19.481{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:19.481{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:19.481{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:19.481{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-0E5F-6216-A804-000000003802}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000285181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:19.481{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0E5F-6216-A804-000000003802}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000285180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:19.482{C8EA50B7-0E5F-6216-A804-000000003802}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x8000000000000000285210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:20.841{C8EA50B7-0E60-6216-AA04-000000003802}41846032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:20.653{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0E60-6216-AA04-000000003802}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:20.653{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:20.653{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:20.653{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-0E60-6216-AA04-000000003802}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000285205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:20.653{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:20.653{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:20.653{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0E60-6216-AA04-000000003802}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000285202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:20.654{C8EA50B7-0E60-6216-AA04-000000003802}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000285201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:20.514{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCF377970E17B3AA3CCC1F6DB2221FDC,SHA256=1F353371861A5FD98DF14E65B1A7289A3A30549E161E2DB2AD00C7C99DEC07A2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:20.497{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EA2D482FFC2F551619D981479DFFCDD,SHA256=DB723BF4ACA4A5E01E40CE1FFD7FCC4E9556C1196E9B52B5814730D6D599C363,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:20.497{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=905113A7AC58F5854E0F1467A7B8127F,SHA256=0E1234DBF084426BDAE237934FE5D74B4EE191CE1286FEBD67B41C7731D561A4,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:20.169{C8EA50B7-0E5F-6216-A904-000000003802}48244784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000285220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:21.653{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EA2D482FFC2F551619D981479DFFCDD,SHA256=DB723BF4ACA4A5E01E40CE1FFD7FCC4E9556C1196E9B52B5814730D6D599C363,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:21.544{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28998229DCFCB7DD04D4AC2BD899037D,SHA256=A86400E1E431FBCC20B0EF7C1614BAAA9BEC2A2F65399CC7B5A5D5EB5D66286F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214309Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:21.013{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B97BAF6A8A686406C4654F10123CB596,SHA256=00CA1E979033A10EFB988214125AF22D35CADDD1D156E6E54F26B514463CA6DC,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:21.325{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0E61-6216-AB04-000000003802}2288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:21.325{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:21.325{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:21.325{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:21.325{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:21.325{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-0E61-6216-AB04-000000003802}2288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000285212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:21.325{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0E61-6216-AB04-000000003802}2288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000285211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:21.326{C8EA50B7-0E61-6216-AB04-000000003802}2288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000285221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:22.560{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09D368C51E8C643861B689E91EA36035,SHA256=4EDFDA833D2F9CAD0503451C3F8C1761DDEA6962F0DDDBE3B6CF5A97676DA0A8,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214311Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:22.044{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D6A901D784374ACF7CDD4DE18DD2181,SHA256=28EFDA7603E6664A5167FAAB5AAE7C57BAC96C3D9A70B9C66579187E81DAB8D4,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214310Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:19.671{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51181-false10.0.1.12-8000-
23542300x8000000000000000285222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:23.622{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2519A01B6203E5567AD46167B2A58DE,SHA256=04994865A038B4DDA61D3EB5B5FAD33C1420926F03CDAA03410D74BBFCC046F5,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214312Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:23.169{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F16B36ABD20EBF55B9A14FAA7995CBC,SHA256=D3BDAB89BB83773623042FB9B0331EB32F9139D08ACF91AE1FF44B69AFF09DED,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:24.685{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C8F41493439146BB74D0D2C7C68AEE8,SHA256=B696849E8597F907D2A407199CBF732B8F3ECE888B9EDB9CF67033E7F2949324,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214313Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:24.185{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF03CF55765A37C1B939FE07F426510B,SHA256=5FB110BD410DF11C0CF73915D467517EB61B7BF1E88FD56DDBCA88EFA24F1B94,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:21.521{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53235-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000285225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:25.700{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48D7688C4D66D7F100CED77A7F092F1A,SHA256=9B063C8FAB78CC39DD2619FFDBE7EE861557C45272B331651B42CC0E0F414063,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214314Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:25.404{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C99DCF3613CAC7D8DB2D7B6D61C3F5AA,SHA256=8B2B807D0543E14E12B294BF211C9CF09EA1BB8ACA53EF07C647704AE642C3CA,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:26.810{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EADEE0A0F0A6113D897E7D11C9EF759F,SHA256=3B81965A3D6BC0CEA659C9D96DD6A034E01850A82C36641C4C245672182628CC,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214315Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:26.404{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01DD265F0294A336771497A7E5C23555,SHA256=8A75036C9854C34FA1A0396818006B903E56695927594D8AABB2298DDB7D91E9,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:27.872{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F28EC04E67E800B251BB50D7289D12C8,SHA256=CFDF5541C9BA465EB5F445FD9000D569DB9CC71C1395BC883945DFAFD75F4BA8,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214316Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:27.419{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=864FD0A1372C608F8CE30D701D3E8152,SHA256=3FD4B1F5985425211B1A7B58601A3F99D97B2F197F97D4E41A2910E53D52F93A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:28.903{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEEE4690AFAF87505C0C723E06879E31,SHA256=BBE29CEC8ED0A78A8601EDFAC7AFBA271432DCF4B7FFF124B68F9DC59501393F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214318Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:28.451{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2FB5846141F9310A47A6F94450394D2,SHA256=7A6E5459BC7696F4A7BF4E9C0A0B068E782CB63F6AD10D2E871AD7B82BE44F9D,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214317Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:25.609{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51182-false10.0.1.12-8000-
23542300x8000000000000000285230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:29.919{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29C8ED644F60DF1BBD812B8B7893B917,SHA256=84EC9E704C1ECD77782A0C736BE6FEEAB02B8FCE1E42197AA1CC49BAAB8B9D4F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214319Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:29.669{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10B0FB844FCAA761F586B622767BA2FB,SHA256=88887AA4369F9ADEF9072CDBF438A5BE077CC3F314F42852CDB75ABE11FC5A0E,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:26.568{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53236-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000285231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:30.919{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17D372696FE9F89634E913637D0C8C0A,SHA256=D1EBE105ABA00B902441BB54AA2BB8CF75E76D57C679CD69EBA19DE3733DD08D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214321Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:30.685{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C12FD75D1EBB22CFB6F4EBCD5D8134A,SHA256=E24289899E8280FB7206554E190B4AAB6ABD7C7062F2882C2A370761D192B592,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214320Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:30.232{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CB713E6EBC62B592D57150B98A953585,SHA256=E71D8339ED26422429E3490CFEC7142A9997A22F6C44FB069854333F57C45095,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:31.935{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2061A706AA9F051DB032A9773756B412,SHA256=C42E8403665061B45CB8856EFD4EDA99DD11B7A7BD5A948AF3B58CD01A99A887,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214322Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:31.685{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56DBC75C969E1D1123CB51EF3BD6DB1A,SHA256=424A87B893D5F55B182247E4D0B0F19D0EB54BB5E2543F43B080425C48F6DE72,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:32.950{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F27EA812BA5F936FD35B6C299B266E1,SHA256=1CE6E2BECBADB32EEBACDFC44B0FFC17F9C9A18E5813045710548F988252441E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214323Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:32.685{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54742C616E860580EE619227F23405C7,SHA256=17584F34CC4D771BBA9989FA0FA01CB9DB14D578D319326EC3CB6AB3D312F923,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:33.966{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C46AE3A9472172A97D6D827B6538A54,SHA256=4DF65888B38E1C5734412E9DA66403D1438CFFD8334802FE1CC576E209A0FE24,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214325Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:33.749{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86F0FB0A30B5616A0AEC557B7CB840E1,SHA256=95B48C869DB400A50778C6FB18DB7A3BEED0DC3B841067942C74B072D2CA3CBD,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:33.247{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7A9FA08CAB22F17EB76A8F948C12C100,SHA256=DB2830998C30CDEF91971203FEB9405FFD4E8142FB1F64B0DBB85C195BEA11C5,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214324Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:30.687{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51183-false10.0.1.12-8000-
23542300x8000000000000000285237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:34.966{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F181B27630BE066F1EAFFD2C401DADBA,SHA256=B6E4B6B1F98D5820608FFDD1093CBDCB8FD5C8A73948F4513826EC95FFA0C855,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214326Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:34.765{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=510CA1FB30F11BC7B8C15F99DBBBB9E9,SHA256=12CA99D19056092C3816710AC61228882C36DCAA440DE5025B02B355B9D54D6D,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:31.646{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53237-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000285238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:35.981{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA6C8812D13DA024E7C115271DF11B04,SHA256=6DEB0DB3D53D497044137CE1C20CE3C7BD94214913F8D2C03F8DD8BDD9A9C5EC,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214327Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:35.999{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2F0418676771B14390E7EDEBFB319FD,SHA256=AAB187282DA107E4969D0A30B9D56CAB736516C40F0B148E1300FCF73F8B9BEF,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:37.200{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5D4C290774BD766459E2C6536CF59CA,SHA256=50B8CAC50BDB2552737B95EF231F73E36B074A05CEAB3C4C92B84BED603AABA1,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214328Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:37.218{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C1499224B006855913C7F2A3F602619,SHA256=D12947360BAC50B8D4423EA08ADCA2E7498F1D2045B98EAA8C1C7A9C1A71BAC8,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:38.403{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDE2558D8A95D0C31244245EF90731CC,SHA256=D8AB5C509A040CBFFDFAA03A0381F01FE5C19BEAE8FEBE2F0F1F4ECC6CE7B4A9,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214330Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:38.440{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-121MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214329Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:38.233{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A40F28AD8FA89C272BB08C48FD05B282,SHA256=E7F670C0B8B455C0E8DBF3004EF42447B0108BE7FC9FDB5CE13FFAE95BE06AC7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:39.450{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:39.450{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE650899CE17147F975298564388E563,SHA256=F9805B0EB56334F1FB74B5026D6F56F56553B613D45E76200D7CFAE45B5DFB2A,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214333Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:36.641{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51184-false10.0.1.12-8000-
23542300x8000000000000000214332Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:39.438{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-122MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214331Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:39.343{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBCFF661D7F8CDDDBC2D11F1E5311495,SHA256=37024439126F5F33F684454B896757E9BE4CAA29BBCF682AB87F550144E030A8,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:38.912{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53239-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089-
354300x8000000000000000285244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:37.568{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53238-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000285243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:40.466{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABD0CC640B102358C2E90DB136A67443,SHA256=8BD2D88AE7CB30FF68403F7577509E078237E8FFAF565D0B423C08E5A3119528,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214334Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:40.453{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EAE1CC214F683852520FF9E50644B43,SHA256=1C77111C69BADDAFD1EDB006BC0119790EA3B52A84A7B8EA0A20CF9224921D7F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:41.513{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3113B41FF9CCC75ED8E7F209CC99669,SHA256=7759CBCA7893D3B09501910175A12A8A948FCCDF986846D20464B6EDF84F5180,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214335Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:41.500{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0E5D5ECCD4E0C9733053E8F198523D1,SHA256=F5A4DA0BB9B17442D5B31CC1160E2CE4C0EE87DBF38E86E780C9E3C107F24647,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:42.528{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA439AAB3B61F0197844B7773631CD46,SHA256=C10F2CB37493C892746060B903837ADB41BF0E3BEF1686CD03492407C9137C30,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214336Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:42.515{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DF63449C70667859A9BE209A8072D14,SHA256=92D15309C9A186E3CA781BA3526AF064C006874B46EBF01A5BDC81443B0C8588,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:43.560{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4AB35C31DFAB037E2C5A0E8EE8D5324,SHA256=1CB29AE67E62C4117F92BFF29EACA1CC456D6685C473312ABB6A34E92FF157E6,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214337Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:43.515{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2335AD74205B9E47CC908E8800BD0AFA,SHA256=5D35A4F8E583BA5F98E189927ED3CB0B6DF877CE8176A48AA3FE648411668AAF,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:44.576{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89E9CF862574F393E113BAB3922E62D5,SHA256=0D9BE64C44F892C82E1A190F2BDFA1F8C611B0D4B7CD57F73177441F3E485089,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214338Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:44.531{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=433FE98FDBCDF9FB7ACB2723F9940307,SHA256=7D72241DF74D8CB6221CA2BFC3D08AB4E564DE43CC9F4A54C3F3917C935143EF,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:45.606{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E947780F52C7C36A1DCD309816CFCDA,SHA256=D04FA64FAE59620E8280879114B6FE8164304D717565E9071A6027D122933C71,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000214367Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.812{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0E79-6216-FD03-000000003902}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214366Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.812{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214365Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.812{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214364Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.812{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214363Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.812{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214362Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.812{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214361Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.812{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214360Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.812{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214359Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.812{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214358Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.812{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214357Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.812{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-0E79-6216-FD03-000000003902}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000214356Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.812{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0E79-6216-FD03-000000003902}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000214355Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.813{4F8D34B0-0E79-6216-FD03-000000003902}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000214354Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.687{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214353Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:42.580{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51185-false10.0.1.12-8000-
23542300x8000000000000000214352Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.547{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BBAD97AF8C831CC160C8DADB6CFA7B0,SHA256=121B92BE372F006428C0CD48B18B718724E63E525A6DAA7ED27799B3A698C1E3,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000214351Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.140{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0E79-6216-FC03-000000003902}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214350Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.140{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214349Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.140{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214348Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.140{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214347Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.140{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214346Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.140{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214345Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.140{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214344Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.140{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214343Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.140{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214342Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.140{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214341Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.140{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-0E79-6216-FC03-000000003902}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000214340Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.140{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0E79-6216-FC03-000000003902}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000214339Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.141{4F8D34B0-0E79-6216-FC03-000000003902}2908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000285252Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:46.638{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7B72E87CF95C5E2537C795DC7EEA94D,SHA256=7B3AD27FB7343BC0ECDE71BBB5D278BAD390E632E9C53A424886F21A2D66EC9D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214371Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:46.562{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6945A0F320390874C5E81FDCE7BF4A8,SHA256=A1593D4BAF355C0A75B765E4DB27DD1E17327514197D99C6FBFFBC4A0A99471E,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:43.552{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53240-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000214370Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:46.140{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=061AA23BAB3DFC63FC224EABEFAB8DED,SHA256=181293E30249B878130250001CBDA8FD4F6B0AFB210E0FA18317A751FDDD1F29,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214369Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:46.140{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B64C21FCAC75C6EA092C972DDC75937,SHA256=EEE2BCE2A2C834988F63E2C98B0C80F29A7A5AB61EEC6E792F2467EEABC0FB23,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000214368Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:46.031{4F8D34B0-0E79-6216-FD03-000000003902}38003384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000214386Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:47.562{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F77EF8163D5DFC0CEA2BC5B70D45D043,SHA256=87571A5B9E504F04BDB1BF77EC5D7192998DBEDDF02D4997F87B1CC2320A3C62,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285253Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:47.825{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C123EDF2A5289E458AEE28F05971D7FF,SHA256=9CE76493B198E9CF88936BD20FDB6BE38E75A3314D20D4F493169D0DBD5ABA99,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214385Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:45.111{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51186-false10.0.1.12-8089-
10341000x8000000000000000214384Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:47.437{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0E7B-6216-FE03-000000003902}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214383Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:47.437{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214382Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:47.437{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214381Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:47.437{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214380Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:47.437{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214379Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:47.437{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214378Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:47.437{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214377Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:47.437{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214376Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:47.437{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214375Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:47.437{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214374Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:47.437{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0E7B-6216-FE03-000000003902}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000214373Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:47.437{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0E7B-6216-FE03-000000003902}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000214372Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:47.438{4F8D34B0-0E7B-6216-FE03-000000003902}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000214402Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:48.593{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4ED098B6E1AFB7EF511A150877E165E,SHA256=6675FC1FAC41F970278382309A2DF04C6936FEC09F85C71E2DB2C4F28C53EEF6,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285254Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:48.841{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0C91D084BF1AE6C47458FC216D7257B,SHA256=CBAA7C98193EAA3B1B35506322A3F0C5F68667E31DB4A10CFC1F8BB5E13ECBC7,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000214401Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:48.515{4F8D34B0-0E7C-6216-FF03-000000003902}32282336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000214400Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:48.468{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=061AA23BAB3DFC63FC224EABEFAB8DED,SHA256=181293E30249B878130250001CBDA8FD4F6B0AFB210E0FA18317A751FDDD1F29,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000214399Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:48.109{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0E7C-6216-FF03-000000003902}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214398Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:48.109{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214397Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:48.109{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214396Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:48.109{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214395Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:48.109{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214394Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:48.109{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214393Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:48.109{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214392Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:48.109{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214391Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:48.109{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214390Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:48.109{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0E7C-6216-FF03-000000003902}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000214389Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:48.109{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214388Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:48.109{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0E7C-6216-FF03-000000003902}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000214387Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:48.110{4F8D34B0-0E7C-6216-FF03-000000003902}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000285255Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:49.856{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E7762C825B126253F676EFDA8DB0B08,SHA256=C528EA869F9C4577200CEA9F9325E01178D6C77115B9CA54390C93007CDA689C,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000214430Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.984{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0E7D-6216-0104-000000003902}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214429Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.984{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214428Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.984{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214427Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.984{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214426Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.984{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214425Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.984{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214424Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.984{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214423Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.984{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214422Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.984{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214421Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.984{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214420Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.984{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-0E7D-6216-0104-000000003902}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000214419Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.984{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0E7D-6216-0104-000000003902}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000214418Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.985{4F8D34B0-0E7D-6216-0104-000000003902}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000214417Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.687{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=144C6E62BC5E20827A6C1E5078AEAFD3,SHA256=34D5D3FEFDF7D9593AE1866DD4FBF1D74E39CE6ED7182589B8AFA5C757C5CDA8,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000214416Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.515{4F8D34B0-0E7D-6216-0004-000000003902}8803716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214415Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.312{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0E7D-6216-0004-000000003902}880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214414Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.312{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214413Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.312{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214412Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.312{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214411Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.312{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214410Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.312{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214409Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.312{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214408Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.312{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214407Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.312{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214406Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.312{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214405Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.312{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0E7D-6216-0004-000000003902}880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000214404Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.312{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0E7D-6216-0004-000000003902}880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000214403Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:49.313{4F8D34B0-0E7D-6216-0004-000000003902}880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000285256Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:50.950{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60AF3EFC91C75490F1E8A0E884CD08B1,SHA256=76A151640F94A891D07B133F20931520679912055C530DB6D227E9C0EC959BE2,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214434Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:48.517{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51187-false10.0.1.12-8000-
23542300x8000000000000000214433Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:50.687{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=786C6D2D10EE05EE8BE6F25CD6B5B072,SHA256=6C5CA3668745BE7051F88672FFAFB2487C0F776E67822F85876E2E1B50F72C7F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214432Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:50.439{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5800ABEA26A7079BCE9EF0AC4FC655CF,SHA256=D0D5837C499CD635320FDF6662BD5DDFB1C3F1C98474D666E113F4EA492171DC,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000214431Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:50.203{4F8D34B0-0E7D-6216-0104-000000003902}10802280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000285258Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:51.951{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEA3ED23BEF299904CDD8DC4259450EE,SHA256=8A856E82E5F5DCD499523E3F1856145EB7DE2BDCD4C342AF132275DE037C01C7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214448Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:51.765{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B217D972B724B4D1E5E75DB8A1A5A07,SHA256=B84CE0751ED27BB8E51C819F884236CCF9990ACDC4424B2BFBA5D43EF26FFBDE,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285257Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:48.567{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53241-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
10341000x8000000000000000214447Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:51.609{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0E7F-6216-0204-000000003902}1156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214446Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:51.609{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214445Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:51.609{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214444Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:51.609{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214443Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:51.609{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214442Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:51.609{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214441Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:51.609{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214440Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:51.609{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214439Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:51.609{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214438Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:51.609{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214437Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:51.609{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-0E7F-6216-0204-000000003902}1156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000214436Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:51.609{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0E7F-6216-0204-000000003902}1156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000214435Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:51.610{4F8D34B0-0E7F-6216-0204-000000003902}1156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000214450Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:52.828{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFE749FD7B6059DEB686F6FA393BCB84,SHA256=140E988D05930F19358268F5A31CCE87BD95CC62021F58BA24E2A2814B9D358C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214449Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:52.657{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F731333EE94C4FD9B0C7AD7AC79EBE91,SHA256=2C212ADCA3AC534FE74FCB089EB7328FD8CE30473A35039C4FB75EA18845E060,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214451Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:53.875{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FF83A0053C92D04060090DB31BD37B1,SHA256=A3C7F250087B7655D0B826B42F0A2B4145040845BF8F3267876EDF935E25C2E7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285259Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:53.014{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DB41DC94054B4DCC11CB3E0C146A81D,SHA256=1CE5E0DC866ECBB4B9FB0CE1AA15C7D22748879289DE5D45BAF3F65DC7CFAB01,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285260Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:54.061{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E39600E640E9D9E4305AA5108FD0228,SHA256=D1F9542428792397FB4726C87C2ADCB69C178729D5C820F93D7BAF65531719DE,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214453Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:53.580{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51188-false10.0.1.12-8000-
23542300x8000000000000000214452Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:55.031{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90A0689D7D1D2F0026E5DFF71F2B4760,SHA256=810E5FF41C48B4962E916CE353249780E220AABEEC0CC998ADFCEFE9982AB2D4,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285262Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:53.569{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53242-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000285261Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:55.139{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D72A9ABB0F71ADDCEDF2B0202C2CEA18,SHA256=D67E9A48CBA6C97DC8FBD85DE655F60DA2156AF1CCC9A09F359AC6625A350F13,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214454Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:56.031{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D32E9B60C666FFEE3BB2974D8C8CE569,SHA256=E44042944D7EA6992BBBB304CC982832D913F0903879A0EE0D6852AFF5240AED,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285263Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:56.139{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=024225123FC09C1FE7E66DB0B65C3176,SHA256=D5FEEA21F00B424635D0DC03C68067F18F4ABC7183AACC5BB919F97F3119B549,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214455Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:57.234{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF4F9A3877863FA3819CE4B358C17736,SHA256=365DC763EAA06CD8BA6E253D85EE505E6482DB2CE4E33C924433C9CADECCE9DF,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285265Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:57.146{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4312D57C1F357BE4850EAFE684483684,SHA256=83305F0D971958960196027045ABA1839E969E3A1867B09878897FF0302C1AE2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285264Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:57.112{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-121MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214456Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:58.359{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89300D6B104103D857F184F4EEBD83A8,SHA256=635E0ADC2992537DADF1FE67AB74E220F8FAB031A1BE2B495C125B55A91702AC,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285267Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:58.148{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBC185B3D1318EB73104AD3102E1ED5E,SHA256=74B8DC5E077F44B25A213C7B3C904AF290C9162CE4E4A8D36DC9AB301D316F8B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285266Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:58.119{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-122MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214457Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:59.375{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7159E248D0F4C3313F134FCEDABE4722,SHA256=2A7200E272A082DB3A2D7829F8F60846F43B912572B836D6A32C7D1707B02ACF,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285268Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:59.166{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=582F8F95E24D34988D29E0455FAFA798,SHA256=FA1B79BC3D6211DD6D88F24D845EA218B5AB935F13F335C804C99EB4F281BBA8,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214459Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:37:58.611{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51189-false10.0.1.12-8000-
23542300x8000000000000000214458Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:00.500{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F22D25A78329FD0EB0BB1D651E893808,SHA256=C855123080668EB9EF84A191D546D3BFF0AAF65307AC348D0FD6D1AE8ABCF3EA,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285269Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:00.182{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA28AD97DD9D1F57B5EDA6796D7D4E2B,SHA256=92873C8C46DCF217DCEE5E5E9B0DAC6B7742A4AFAC8AAB752581A55BF9DFD4D8,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214460Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:01.609{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F11B3D5DDCD7193FD1014CE481CF9341,SHA256=E577ECF30A5F374671F0CCD569AA5F38CD7B979309B6112974A324DBF80A2381,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285271Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:37:59.565{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53243-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000285270Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:01.229{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A37374E5F23275C16F0341B9CF519D49,SHA256=FE63121039425E0F021BCC3457717B590299DCD8180436D241392B483DA09A79,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214461Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:02.609{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=243C3115C3DE8B3E818C3F11BF2934C7,SHA256=AA4A1781DB29246C93B332FF15B677BD0869F7C80DC5A9CC62665E5D01F51D63,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285289Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:02.744{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285288Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:02.744{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285287Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:02.744{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285286Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:02.744{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285285Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:02.744{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0E8A-6216-AD04-000000003802}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285284Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:02.744{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0E8A-6216-AD04-000000003802}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000285283Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:02.744{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0E8A-6216-AD04-000000003802}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000285282Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:02.746{C8EA50B7-0E8A-6216-AD04-000000003802}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x8000000000000000285281Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:02.510{C8EA50B7-0E8A-6216-AC04-000000003802}10765264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000285280Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:02.309{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18C1DFB97134C33BEA0C12F85DD157F9,SHA256=FD3BC5FAF236BA45B412C3927E66AD05229C3BE7A2A0621580C73FA1EF3DD975,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285279Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:02.151{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0E8A-6216-AC04-000000003802}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285278Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:02.151{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285277Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:02.151{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285276Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:02.151{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285275Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:02.151{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285274Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:02.151{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0E8A-6216-AC04-000000003802}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000285273Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:02.151{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0E8A-6216-AC04-000000003802}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000285272Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:02.151{C8EA50B7-0E8A-6216-AC04-000000003802}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000214462Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:03.640{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=245B192E39BB59513BD9B1F48D0AEE54,SHA256=7A6BDF99AD07877B022759E4748B89AB0B858DE4DDC78C7CCC67357A7C20B088,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285292Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:03.322{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D15F91A789C9587A255A09A0893434EC,SHA256=D711BB80F34B04F37C0A8E72EDBE5B5D8477534A0C672C64FE1C049D8EC0D55F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285291Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:03.182{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EE9A0DD128FD07F18D7CCF0AE5DEF0D,SHA256=92C48ABBB4958108123BC5F5A2D563BF0761D6DDC08870EF8E47DD459C29B608,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285290Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:03.182{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3D9F61544555FB52A1018EE3A967C04,SHA256=5276C9D874544773517E79E0B9F5843FCBAAA52162ECC7DC9D47820A7C9C74BF,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214463Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:04.640{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D118F18C18DD34AAE1AB13EB2F6CBF4B,SHA256=8913E9F4C20D3F18EA1CD6F2466F9AF1BE2F749F816AD4F519A14C64D2DAE5B8,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285302Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:04.697{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EE9A0DD128FD07F18D7CCF0AE5DEF0D,SHA256=92C48ABBB4958108123BC5F5A2D563BF0761D6DDC08870EF8E47DD459C29B608,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285301Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:04.339{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C0E9A50350FE5B1E5DDF0F36939729F,SHA256=91A17FCA6219C932A30ABEB1CE8B77A705DCA0703287645B2EE6BB40F6EC852B,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285300Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:04.276{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0E8C-6216-AE04-000000003802}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285299Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:04.276{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285298Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:04.276{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285297Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:04.276{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285296Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:04.276{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285295Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:04.276{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-0E8C-6216-AE04-000000003802}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000285294Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:04.276{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0E8C-6216-AE04-000000003802}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000285293Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:04.276{C8EA50B7-0E8C-6216-AE04-000000003802}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000214464Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:05.656{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62ACB3C8FF82F1A5284F3ABE02DEAFF0,SHA256=C4A71EEDFD5EC94364738FF9770C9C3BB40B595B645DA9C8E18B981CF166983E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285305Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:05.385{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A97AF8800AA5E1A33FB291B24EC2BE2,SHA256=439462184F23F9D0145563FC3A70DED1056F959E44572E2D18A8FD3F9AF5871B,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285304Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:03.112{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53244-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap
354300x8000000000000000285303Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:03.112{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53244-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap
23542300x8000000000000000214465Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:06.656{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4946C0D96F855BCAF8DC9A28E27DAEDF,SHA256=7AFE271D7AC1DA6640ECEB37448A9B8685C5C2FCE94346852B300D3136E8F0FB,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285306Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:06.386{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30C9B8F440A8EC420AC1C2584FCF3A5E,SHA256=463D68B7E1B32B45BBDFB07F618EC0DC0B259A85575369613AA6A7A8AE1F2179,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214467Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:07.671{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68374EBED6D2CAE4445064DF40B36CF1,SHA256=ABE7D50D64812F665C0BD9E97C57D6A63ECE694F142E5A7CF2F4FD93BB0CD1A7,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285308Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:04.611{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53245-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000285307Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:07.401{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF2140DF855DCADE58F6B54B7901CC87,SHA256=B0BF38FF8BE227A95EA0BC857EF529BF75DA6DDB184128B454A9F7E6375A5C81,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214466Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:04.658{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51190-false10.0.1.12-8000-
23542300x8000000000000000214468Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:08.687{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=403196312FF133C6D3B397AC5889CA1D,SHA256=CE540B6CC08392572A371E53EEA54AAE9FB6E5BA7AC8546149DC04B64786C7E5,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285309Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:08.416{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A6E9701A715C3F6BEC21C5249CA37FD,SHA256=0F0A15B915109BA581A09E1252CABE61FABA83A8E3FC123F8EDE368FBEB9217D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214469Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:09.703{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57B975465212804423CBC4E2368C2F18,SHA256=808A160F85A6A6FEAB662A1EAEAD49B0D007DE38BC90E3D67BA50FCD12DF9BA5,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285310Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:09.447{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57FAD5505FF7D55CD61E71F68F090570,SHA256=CB6F1716AB73FFC05C31A8AAC7543D0CF431987FD1681D3636E6275FDA811D9D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214470Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:10.781{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE05505594CF09E6BEBC3B164A090977,SHA256=73FF42B7F2EE2AA74733BB97B749FF1439BED77BAC0D6F2008FFB7285134C5F1,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285311Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:10.479{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=013F7C84338CA06DB45DC55686EA2877,SHA256=5A6DF8F07E749530098B76B412DC46A2619B3A5454FAE30AD6B7C8ABC73B08F7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214471Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:11.843{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=987B6A069C78DDB44DD9B4A5AA2413FF,SHA256=B071B1A12EEB8E5B9BA8340ED01D54C61261AAA30FF69404F5B9B7FABDE193AD,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285312Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:11.510{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A7B0F7130C46B7E20BB39E46FCD17B7,SHA256=D12F86B08AFC5212C9EBC806A49F203B26AF22BCE0F389403EFAFDDF2D4FA2B1,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214472Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:12.859{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B792CF29EB7B13EA0EB5D877D76FD267,SHA256=B78DCE72DBB288D439EFAB09F43A8BC936D84611DE517C44A85E93EC9643E6D4,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:10.580{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53246-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000285313Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:12.526{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8797A9E2DC2C63B54477A92C9EE2C9B6,SHA256=CB6CC6F13644723D669007E95F64679C65CAE51DA4FE6EB529F2C8E2B790C072,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214474Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:13.874{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00059F55E810DF4E414A27B0B48EC02D,SHA256=03E7A7B0FB1CBB7D8FF661BC9BF345BB7137D33ABF99E8534770F6CD7D885F07,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:13.588{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C6102EDF82F465841D9D9129E575A9A,SHA256=B37A9034A283027935A13235D149814C11F3351558AFFC958DB198423582666D,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214473Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:10.580{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51191-false10.0.1.12-8000-
23542300x8000000000000000214475Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:14.906{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=722EF0332F0F62238E19CB498D266AAA,SHA256=81FD8ACD64450753AFAF77263642E2E203404C82CA4EAF31B219DC06D43789F9,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:14.619{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EFAA5AF4698F2665C17DEC097934202,SHA256=1B4FD29C3064FF88101210AEF81301E5CDDAA72049D86ECCD6751B86BED4D80E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:15.635{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=662CEFBA606C201F4AB1111636BE4CB7,SHA256=EF541D5296A74582C98B8F13BEF58B0CC639B5DC61EFB57DE04D69141931609A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:16.651{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFD506C486E985F4491BCF7CAC056F04,SHA256=34AECA3572073AF4638CAEC7198C9A83181160E2DDDFC67ACB21A1842B3C32FA,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214476Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:16.109{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D37C241D140977343F4ABCCC9505296,SHA256=A34C02574C59EFF7D87DF1EBBDD9F95430E206766FF828C9A8222DA4F45B65DB,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:17.666{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E067DCE9AF75EB696797B88FCB764E6A,SHA256=5CFC04E649E758056000D25D8EE69706D73BE0F948B7C829B36DC27276104DD1,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214478Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:15.675{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51192-false10.0.1.12-8000-
23542300x8000000000000000214477Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:17.156{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F03AC8F8F24E88996BB979BB24E94660,SHA256=E1B70AD97E8BFA9741DB4CEDB76CBEDDF18AE3D119611116349AE6332901BE95,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:18.760{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F60BCCDCD6C88D7B0426CAF6CD173560,SHA256=81EC27277BB7A9D5A5D2AEB1164A9D641B9EBC71D871C42C8FFA59641E1278A2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214479Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:18.390{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AF64D08F34E37D1D75D552075F24931,SHA256=DA376D026818DEC233216350872EE4AA1CAC3C22BD572ABBCA4339791AEFB160,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:15.643{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53247-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
10341000x8000000000000000285338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:19.994{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:19.994{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:19.994{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:19.994{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-0E9B-6216-B004-000000003802}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000285334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:19.994{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:19.994{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0E9B-6216-B004-000000003802}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000285332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:19.995{C8EA50B7-0E9B-6216-B004-000000003802}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000285331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:19.885{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D484FE5C414DEA0E394D38D08963D5FA,SHA256=4413D767D93333F53D5E84DED8E782E12C0387CFBDA185684E85CB50206F83E5,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214480Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:19.593{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D0E285F2854307E0DD4975CF39521FB,SHA256=53783CCA510FD60ED1B2C06DDC1A0D69027A910C84089C8501944F5382C58EAD,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:19.713{C8EA50B7-0E9B-6216-AF04-000000003802}56801912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:19.479{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0E9B-6216-AF04-000000003802}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:19.479{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:19.479{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:19.479{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:19.479{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:19.479{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-0E9B-6216-AF04-000000003802}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000285323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:19.479{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0E9B-6216-AF04-000000003802}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000285322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:19.480{C8EA50B7-0E9B-6216-AF04-000000003802}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000214481Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:20.609{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1A11F68E8766D2C6AB6CF6359BB4FD8,SHA256=F3F55BF2C190D65AB2F0093E47535DC04AB9A310DB371CB377095AAA75F9AF49,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:20.697{C8EA50B7-0E9C-6216-B104-000000003802}58925764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:20.510{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0E9C-6216-B104-000000003802}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:20.510{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:20.510{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:20.510{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:20.510{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-0E9C-6216-B104-000000003802}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000285345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:20.510{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:20.510{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0E9C-6216-B104-000000003802}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000285343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:20.511{C8EA50B7-0E9C-6216-B104-000000003802}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000285342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:20.494{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7588BE195CE7B3671406529DB182C86F,SHA256=7A8404BB6355D1BA23F2D4357E773DF40260C22A627DFAC38A4A4303A8374BF3,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:20.494{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CEB2E8EBC628D1D788A87949EA5FDAA,SHA256=2D013584B6FD842CC7474F81EEE3DBA2149DCF06C53738C69A1AD3DCB2823DA2,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:20.260{C8EA50B7-0E9B-6216-B004-000000003802}40045416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:19.994{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0E9B-6216-B004-000000003802}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000214482Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:21.812{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F06050E031E354CA4E3906B8E533CBBC,SHA256=66D6F21A6FB6060450326C3BCD184540D26FF47DED80CE3EC43717D88C5AA93B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:21.557{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7588BE195CE7B3671406529DB182C86F,SHA256=7A8404BB6355D1BA23F2D4357E773DF40260C22A627DFAC38A4A4303A8374BF3,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:21.135{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0E9D-6216-B204-000000003802}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:21.135{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:21.135{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:21.135{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:21.135{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:21.135{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0E9D-6216-B204-000000003802}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000285354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:21.135{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0E9D-6216-B204-000000003802}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000285353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:21.137{C8EA50B7-0E9D-6216-B204-000000003802}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000285352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:21.010{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=434C64A393EC2AA60BD9B6573462F2FE,SHA256=743B3C35A546A57C3DDCFAA0C839B456CFF27A75F1CEEF2B5D64678505188DB2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214483Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:22.812{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E73EF3FE6399CC78D236A817BD9B2EF,SHA256=B9AAAB92CC0A071CB6100A55192DC391DC90C3B8CFD05B386C43E92CC6A276E1,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:22.026{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4F4AD3BACC230363E88B3B8980545B0,SHA256=DA0AC685ABB20F6D9CCE2AE7B7BFCFAB95670F04AA50E9C6128DC29DB44246D7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214484Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:23.828{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=879FCDF6C7885824AB1E7BEBAF5360A5,SHA256=77C4A4EC956F8439E54BCD546296E7C41552C68F205290DFD432DE28073AA733,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:21.580{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53248-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000285363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:23.072{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE0A3F89C2EA67AC9AC5550A38A9FA8A,SHA256=74697EDC3B5045F9F4FF82D8A254317ED4FDCF5E4D20C049B5B0A59C14FBB03F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214486Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:24.828{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B1AF0BAB71BE03CB51E306852BDC7DE,SHA256=06772F76E3CFBEF4FE9CE5C187C1EDA684356996084CEEB19F32AE92B4BCA2AF,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:24.088{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB0A6CC57B17048E184591D2EE66A8F0,SHA256=671C41EF4D7C2E37C9BD559CEB8DB48BC183759D3442D8D5AFC4E7738F844DA2,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214485Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:21.673{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51193-false10.0.1.12-8000-
23542300x8000000000000000214487Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:25.843{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2248F897638D67683D9F561BDF457DA5,SHA256=B9FB9BFDF6DBC56BF70D02409F2B3906F6C6944AC87DE3693D5BD49BF82AFCF6,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:25.104{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=346522362D5073D9C5A97FC503FDC35F,SHA256=F8EB69922154CC75AD6FC8275ABEF1B8219F06190717D83EF1EB0FD373979EBF,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214488Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:26.843{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EF4708C4ECC2CF6B20EBCD14122DA68,SHA256=FB609E295DC6F82062151259476F258470CF401F2E75803E4E204876B2339C18,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:26.119{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0231F5C3A8B763E921EC5A4004265E0,SHA256=1D1C46FE5CED358E834DCC5DF2589A75FB8E0B9DDA7E6D34BD240CFB99A7E0C6,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214489Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:27.859{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DDD0D0BAC35F5DD1D97E85191485FB9,SHA256=88D8161E2A3AFEA2F39391BBAA3D8891D68D56933AFC9623EDF10D9A4FE9F10B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:27.135{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1A77D8A7F5DD20D4D75B2EB1B92581A,SHA256=7FB816D53C6CB2AE81A37C441C93378C1E0064D24B80D4CB7D001FF777D06D18,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214490Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:28.859{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9581F778652062F102ECC6216BEC5D1A,SHA256=081B0224292D448111741783C6B0A60E070900B5ED45FD96121B14BC0C4B5888,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:28.151{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE08C3B828E823A1B1947C3DC9751DD8,SHA256=EB3F060EDE7ED3138D36C3CD2C7285E7866BD5003524D62154BF935B33BEB0E1,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214492Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:29.874{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8484ECE324CC3986184E20488B1ADB36,SHA256=A8ABA986758C41B6F8A1FC1F3C5DD5EC1639796A35B014D4C3017E90A18B2095,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:29.182{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06C9E5494989A81517FF54071F62DF23,SHA256=BDBC3492A5A5074B71C7E7452E9604DF4212CED9776B9338A01BC09933B5B1ED,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214491Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:27.626{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51194-false10.0.1.12-8000-
23542300x8000000000000000214494Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:30.890{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AA7680CDB40CA6CEFE69742C837219C,SHA256=B336C5B3080089DD968D78F7629FED98CE745B285E749C20ECFE6B550F267098,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:30.197{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72538B3D28BB350C1141586D552BF862,SHA256=E0A498C8B85FBAA8DC34779540B956BAAB5E77591C2F372B33D9D7D657B8D7DA,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:27.565{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53249-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000214493Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:30.234{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=203F829E7BE80FA4E5E04FECFE0FFA83,SHA256=2466C355FC438A5CDCE4153A53B3DDB05569F8145942E944F3BBE50E309D2567,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214495Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:31.906{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0423385F744B9419C7582E1BC46C3A4,SHA256=95C5FA8DC727844F36565F38FDD73382C90FA452F7EFA57B6F553C472F228AF4,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:31.244{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F735AF47CA3FF54A6C0046DE4D547A3,SHA256=4549613600F245845F6E01CE730E7D7681B13E7CF7BDEC8125CB778A5B48E716,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214496Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:32.921{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=252FF61C90955A96A184B3FA067D7F06,SHA256=17E1622F28FFDC88D4B9CCA3494C27E55EBCC77E862A5EF359023C08F40B9259,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:32.416{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCC56D4F2F3F135E72D2D87966FF8FE9,SHA256=3B59C7B891637AC25254984724168E679F27F7483CB0BE1923A153F69439E6B7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214497Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:33.937{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CED9B7F97EC3290A87C8DA0F4B9DEC5,SHA256=31E446F6152AB8D4EE29A5B432A9C299BC3D3C5DA33DDFE883233785EB2C5419,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:33.432{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BD22384ED8D324C3DE408419B35E8F0,SHA256=D9AE19E25187F3BB7BE7F61B965DC76E4654A48C9B85897F7B5F6C31A4A83320,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:33.260{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8486C304F0897A36A4F8AB9BE13C58EB,SHA256=233778C1CDF4767FE80A23D92B73036B12D7639E89E8C38E62138E702D94ABB7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214498Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:34.937{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A845FB1DD70EA6B36E30E5EDA55B78F2,SHA256=D77FDAE96A3BB4D3A19CB32A4C4D4E2917E6C9AE37605B9AF93D2624ACC2658C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:34.447{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11C19901561209D3D9412D540A02CB26,SHA256=46717155AF97C3B8E12DA40DB778D4A68620696B89E05791C6086F52CFCD9EB9,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214500Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:35.937{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B927C4D6B2FF4DDA1F6E64ED37078F24,SHA256=BDF65BB5A9174BD3B8102BAEE26ED13D4AD240A6525C0800895743CFA37F2A15,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:35.666{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D51724A0AF2EA6B47A8AC60A83F8C2F4,SHA256=56FB9B865B09E98265D2DB8B40C254BC85D618301302DB05F97B9F09B048E72F,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214499Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:33.517{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51195-false10.0.1.12-8000-
354300x8000000000000000285378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:33.549{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53250-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000214501Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:36.952{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACE81245E5AB2AA0CC43F013AFD81E29,SHA256=904102B32881E3AF641714A3073B9EEF6143975DAAB1E620D0EB13C84F15D0D7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:36.682{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D20296B4D70999E442FF1707F47D4F39,SHA256=728C4C009C889F7076BF1165EFE99851444147BB561F810BB617D93D36CED5AB,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214502Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:37.968{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B85AF157DFA774B087E3F63C8A835AFC,SHA256=14DEF2BBE65C822D78D611747EF1083C194FCA7C15AE635CD60EB3D0D59B6EE7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:37.713{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7196EED42C223C5250AC38B3A6909DBA,SHA256=8C8C667033F5DAF44322561A8E3ABF428A841EC60D48710CFDA8B5A2CF0A957B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:38.729{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95F545CF1A318AF3887090672B1FC1BA,SHA256=383A8C12A34001ACD97610524B0267C7E62D0CA9C609CC33D1B14B35ECD466D1,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:39.854{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9453C78420F58974389C9867CA47D14,SHA256=6862722A600A4F01A21D9E36AB5F499EDE782570C3DE1FAD457C9ABA353E9345,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214504Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:39.957{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-122MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214503Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:39.077{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD0BD8A7C00E6671F9735293F5C76E9A,SHA256=831103A69F87CAFCF9D74F2766E30233E173A1E8C15027018F3B842E3D4F335B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:39.479{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:40.916{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D3DD1968A055016B6F0449E8F69764D,SHA256=AC8AAFD8FC5A7B81ABD091951981159E34999266C5B6FEBFC3843CA5F6EB1F85,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214507Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:40.959{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-123MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214506Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:38.705{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51196-false10.0.1.12-8000-
23542300x8000000000000000214505Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:40.098{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30AB5059C08C03950E1BB30FC877051A,SHA256=366A52C08D5FFF96DD4628410469C0F0AB786FCD7E4380D266EA3E702B58C96E,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:40.697{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F118-6215-0100-000000003802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e
10341000x8000000000000000285386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:40.604{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:40.588{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000285393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:41.916{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F249D166CA555E6CEDE0A59AD6AD782,SHA256=5499873A6F01B42FA0E4B65111E9C1FAFDF00F94A7EF72DBECE0831B7A8F2326,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214508Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:41.144{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73428D7F85A8962F9418775214E7ACE2,SHA256=FC3BC377E3B160813A1438EDA8CF15C29E082EF44E4E6D1F205FA9A225CF2F3D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:41.619{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DD3363FAA250B7F7E47380D84165226,SHA256=2039113BBCCF0B186D8B22541C323ACEA6764864D1CD2BC31FF602F51253CB26,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:41.619{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA3A8BEDD21C8CE605E2BBA4890DB3A6,SHA256=B72278A3C36DCAE6178FF63742D0FAA6B02B6BE7B8558275E9D22A2B66DF7248,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:39.549{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53252-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
354300x8000000000000000285389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:38.939{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53251-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089-
23542300x8000000000000000285400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:42.947{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7596B645602663F633433365FC2ACE48,SHA256=FA8B718610B65CB9C9541CA9F368F067AFE660DFC272B1E0B4F2DE7024F4636A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214509Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:42.161{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAC3FC261C61031D1B33478BA1F877DC,SHA256=DA08CC85984A500C59F6995B5581176238714AEF88E74A3A94C69787F9EF9E9E,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:40.178{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53255-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds
354300x8000000000000000285398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:40.178{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53255-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds
354300x8000000000000000285397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:40.082{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53254-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap
354300x8000000000000000285396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:40.082{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53254-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap
354300x8000000000000000285395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:40.068{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53253-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local389ldap
354300x8000000000000000285394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:40.068{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53253-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local389ldap
23542300x8000000000000000214510Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:43.395{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2D551266F7DE3814541E8EC51CA543B,SHA256=71C708FDF8C99E41B423A22807EA7E0BA6754345B0E7827375D4D4F1D063854C,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.447{C8EA50B7-F11F-6215-0D00-000000003802}888908C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
13241300x8000000000000000285405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:38:43.244{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\6FC0DF5C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_6FC0DF5C-0000-0000-0000-100000000000.XML
13241300x8000000000000000285404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:38:43.244{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BA30863B-E0B8-488B-829D-A0E9DE6AE59C\Config SourceDWORD (0x00000001)
13241300x8000000000000000285403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:38:43.244{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BA30863B-E0B8-488B-829D-A0E9DE6AE59C\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_BA30863B-E0B8-488B-829D-A0E9DE6AE59C.XML
10341000x8000000000000000285402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.229{C8EA50B7-F11D-6215-0B00-000000003802}628792C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.229{C8EA50B7-F11D-6215-0B00-000000003802}628792C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000214511Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:44.458{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDC0CEA78B70E00FFE84F48082D36482,SHA256=BCF89F0A03203B69B94007B37B606A9370A65BCDCF5A4600F1F91064B64D9F4D,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:44.947{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:44.947{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:44.947{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
354300x8000000000000000285444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:42.732{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local52545-
354300x8000000000000000285443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:42.730{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local62425-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain
354300x8000000000000000285442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:42.730{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local52885-
354300x8000000000000000285441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:42.730{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local52885-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domain
354300x8000000000000000285440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:42.707{C8EA50B7-F11F-6215-0D00-000000003802}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53256-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local135epmap
354300x8000000000000000285439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:42.707{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53256-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local135epmap
23542300x8000000000000000285438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:44.213{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=213F78233E922D3D30A12FED65C21E8F,SHA256=7D8F27064037A3B5E8D227FA5A5BDEBAC6FA5BDA45D239C37C8658B0FFFC1A1F,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:44.104{C8EA50B7-F11D-6215-0B00-000000003802}628792C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:44.104{C8EA50B7-F11D-6215-0B00-000000003802}628792C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:44.104{C8EA50B7-F11D-6215-0B00-000000003802}628792C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214540Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.864{4F8D34B0-0EB5-6216-0404-000000003902}2948764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000214539Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.723{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000214538Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.645{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0EB5-6216-0404-000000003902}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214537Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.645{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214536Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.645{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214535Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.645{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214534Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.645{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214533Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.645{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214532Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.645{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214531Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.645{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214530Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.645{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214529Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.645{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214528Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.645{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0EB5-6216-0404-000000003902}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000214527Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.645{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0EB5-6216-0404-000000003902}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000214526Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.646{4F8D34B0-0EB5-6216-0404-000000003902}2948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000214525Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.458{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D398071E1310BD9F38B473619FFFA27,SHA256=C95B7388B0F61210D286A09C5A11C5AAD04512DD6ABFC723FB1E6EEC72452235,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.580{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53257-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap
354300x8000000000000000285452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:43.580{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53257-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap
23542300x8000000000000000285451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:45.151{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DD3363FAA250B7F7E47380D84165226,SHA256=2039113BBCCF0B186D8B22541C323ACEA6764864D1CD2BC31FF602F51253CB26,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:45.119{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3146845192B7CD95BBD4E8B218461977,SHA256=52DAF8C4032CB55308F1359BB057E9096AD86A45277B4E871EAA6104FA734BA9,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:45.119{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:45.119{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214524Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.145{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0EB5-6216-0304-000000003902}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214523Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.145{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214522Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.145{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214521Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.145{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214520Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.145{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214519Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.145{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214518Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.145{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214517Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.145{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214516Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.145{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214515Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.145{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214514Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.145{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0EB5-6216-0304-000000003902}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000214513Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.145{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0EB5-6216-0304-000000003902}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000214512Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.146{4F8D34B0-0EB5-6216-0304-000000003902}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000214543Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:46.614{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA34B3C8A903ADBA3DE56FE443320615,SHA256=9339BE622CE8E34D8073F3719410700D341FD93F65B0C7629FFC89667D734B2C,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:44.424{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53258-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap
354300x8000000000000000285455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:44.424{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53258-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap
23542300x8000000000000000285454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:46.166{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=559D78B985E5E01C05588CBF2941C6D5,SHA256=D4BD8ACFE1954D3DE5569FD67417F84B2069FE7FBFA9E686B4DA022420312B8D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214542Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:46.192{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F42BABD048B902BAB7104C96EE8DB8F3,SHA256=5D48FAFE0EF7656B17FA2558F3F8FFA0B861C078AA052AFA6D8A40C32CB39925,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214541Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:46.192{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=588968E07A56C1BF64DDBAB54C73601D,SHA256=23C4E1045679026364BD7F216388B0E9E037F2CCFD6FA806D46A6D4CB5EEABAC,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000214573Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.942{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0EB7-6216-0604-000000003902}1424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214572Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.942{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214571Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.942{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214570Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.942{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214569Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.942{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214568Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.942{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214567Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.942{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214566Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.942{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214565Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.942{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214564Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.942{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214563Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.942{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0EB7-6216-0604-000000003902}1424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000214562Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.942{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0EB7-6216-0604-000000003902}1424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000214561Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.943{4F8D34B0-0EB7-6216-0604-000000003902}1424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
354300x8000000000000000214560Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:45.132{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51198-false10.0.1.12-8089-
354300x8000000000000000214559Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:44.479{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51197-false10.0.1.12-8000-
23542300x8000000000000000214558Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.755{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=784E5C13A0E74FB0C33B84A4CD17A5EA,SHA256=B5AC70AA7A363BE979CE59F47C551F27312107494A7EECA885EBF33C5F3CAC12,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:47.166{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=468D4B3F2E8B2BF7045E3ABE588400BC,SHA256=CE3EB04B9EE404B0A4C4496F0321E532C93D0C5DDCE7681ABDC07457133C185F,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000214557Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.676{4F8D34B0-0EB7-6216-0504-000000003902}35964088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214556Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.442{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0EB7-6216-0504-000000003902}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214555Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.442{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214554Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.442{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214553Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.442{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214552Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.442{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214551Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.442{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214550Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.442{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214549Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.442{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214548Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.442{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214547Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.442{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0EB7-6216-0504-000000003902}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000214546Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.442{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214545Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.442{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0EB7-6216-0504-000000003902}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000214544Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:47.443{4F8D34B0-0EB7-6216-0504-000000003902}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000214575Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:48.786{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC9315FD6DE02AAAF5A08ADADEB629EA,SHA256=932813CCD1957D064246D0EAE62912CB0FF960CE715B502517A9BB98CD25284C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:48.229{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62C93B428F212AA4EC3AA66EF4F82113,SHA256=AB78C9B19DCAECAEEBFD599B381A875B12D527FCAB28019A60C802021C3A715B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214574Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:48.442{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F42BABD048B902BAB7104C96EE8DB8F3,SHA256=5D48FAFE0EF7656B17FA2558F3F8FFA0B861C078AA052AFA6D8A40C32CB39925,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:44.564{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53259-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
10341000x8000000000000000214602Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.989{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214601Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.989{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214600Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.989{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214599Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.989{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214598Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.989{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214597Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.989{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214596Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.989{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214595Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.989{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214594Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.989{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214593Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.989{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-0EB9-6216-0804-000000003902}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000214592Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.989{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0EB9-6216-0804-000000003902}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000214591Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.990{4F8D34B0-0EB9-6216-0804-000000003902}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000214590Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.817{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0293208F7FB869486C21D4702E761A66,SHA256=5B7690AAEC548CA90B759B5F68E45FFDCFAB6C716761F190A2DFADE98BD833D8,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:49.244{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DECAF56EF9D5F3AD4ACFBC53F8EE4FA9,SHA256=871742919836F7F86A975FFB1291E31994E9C87BA9DEA3993F5A970A65260271,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000214589Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.536{4F8D34B0-0EB9-6216-0704-000000003902}22641108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214588Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.317{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0EB9-6216-0704-000000003902}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214587Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.317{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214586Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.317{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214585Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.317{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214584Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.317{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214583Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.317{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214582Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.317{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214581Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.317{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214580Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.317{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214579Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.317{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214578Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.317{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0EB9-6216-0704-000000003902}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000214577Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.317{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0EB9-6216-0704-000000003902}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000214576Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.318{4F8D34B0-0EB9-6216-0704-000000003902}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000285461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:50.260{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B37293ED01444FD21AB05306E91E2343,SHA256=E4B18EF493F292722A349E1B70F2B6C38C2DD625E5021F37C18B4BE49B062524,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214605Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:50.379{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=008C445011D5F71046385A24A77BDD4A,SHA256=4FC732B56AE376BCA1ABB7EECC2E2EB8E9B5CA744CCDA402764E328D3E555654,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000214604Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:50.224{4F8D34B0-0EB9-6216-0804-000000003902}35162844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214603Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.989{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0EB9-6216-0804-000000003902}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000285462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:51.276{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1CA256745C03F9CE665D1EFF98620C2,SHA256=E65D174A96FFF0AEA918F54EEF9C75A58172F369C91792AB7827CCDF14752923,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214620Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:49.522{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51199-false10.0.1.12-8000-
10341000x8000000000000000214619Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:51.567{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0EBB-6216-0904-000000003902}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214618Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:51.567{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214617Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:51.567{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214616Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:51.567{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214615Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:51.567{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214614Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:51.567{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214613Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:51.567{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214612Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:51.567{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214611Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:51.567{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214610Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:51.567{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214609Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:51.567{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0EBB-6216-0904-000000003902}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000214608Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:51.567{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0EBB-6216-0904-000000003902}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000214607Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:51.569{4F8D34B0-0EBB-6216-0904-000000003902}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000214606Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:51.051{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2B33D58EBE4C850934F15F5AB28ECC8,SHA256=A612D5BAC7C41218FA91AF35CAFCE14D8F23BE7834B682D9BE5CB689086B11C8,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:52.541{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9C632E5B95FAD2C77D04C7AF5AC043E,SHA256=F3E1F92FBA943FBFEBB9086C6A880873E26E9FBBE56800C2F9D937AC71029A36,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:52.541{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F028842EE8371753F5BE6FF387FF0ACB,SHA256=E665267D87159B50142E00E670A2FB8554A65437FD1D59E6E119BBCA847093C8,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:52.338{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=038345AA76A57975AC70D75FD2E73656,SHA256=BF7B02CBB5929EAAA938B0A332FA2F4D66DDF8C686FB634D3924D7F9EAEE306F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214622Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:52.614{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8638D08B64566CA53248475924B84090,SHA256=0E68F392C5A56604E61A08BCAD301DF6DF118FAC252625CCCBC4336894781E8E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214621Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:52.083{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4583A4E0EB9A525DCA6D76A74C6A1B4,SHA256=375FE538444DBEDEBD37F2DCD24DB7FFC226E43699E5216724BF271C689ECD98,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:53.369{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF7F3259DAD88A9D9232770557F51C1E,SHA256=84AEF0CA8D388523B4E65A2E15F55F3A919CFB276C3DC916D3482A91E41B9E19,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214623Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:53.098{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE6C71281615107963B85673B425DBE8,SHA256=F9D2B0EF94DC488A05F12D7F021A3CA118C21F05594FE4FFEA9A45E99A87B708,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:49.658{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53260-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000285468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:54.385{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=246D68AD9F7BA74D3F29CAF19C8451EF,SHA256=34C8D16FCAA20B9BC2239AC715E78111B9605DAFA3E98D3AFF7A6BC291037AA2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214624Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:54.114{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BFF738C83F9906F79584564F7DE8DA0,SHA256=5469732E7336A6E4DD1A4ED2CC1794F44AC50C59272D64E60827178D8DAE0459,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:55.401{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95124FCC34B6791C4B607F83471A461B,SHA256=2110DB36C19BCAF6C25DBF6BF5C1102A1598C1870530FF08DF5F4F4524B8444F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214625Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:55.129{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6951615F38A91BD3B7919032B9D75BE0,SHA256=9E18034EBAC48375CE480546580D57F6BD164B7221BB13F6C1457A997708DC62,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:56.416{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2712EF85F409CC020D2656E28F72F46,SHA256=E87CF77155887AEF17D37938D312AF98FFED3A7AA5049C01FB2FC98D5F011FF2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214626Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:56.129{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44BFCF1DF2BDB76D44A5D01151A40DEB,SHA256=CF38D99B6FF9746BFEE46DE634022780387B2CF80468174BD44822EF95E552E6,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:57.432{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CCFA0563473642A5BCDBC569AA5C03B,SHA256=D4D196F63C1743AD91A3156F3D85DCB8D4F6EBA6AE375180AA06A1D2A9777246,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214628Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:55.554{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51200-false10.0.1.12-8000-
23542300x8000000000000000214627Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:57.145{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=970CE04729BE8273810C4FD2612A5C9A,SHA256=8F6D163854B299D49FFC002B239506B6B89CBC67C179D576B86E85FFDF3C90D5,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:58.638{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-122MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:58.449{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BE197D2A7249FAE5C4A99E61A59A863,SHA256=A9A08DC5F8F00E9ADFF51E7B744F072E1DA967EADA3494861D5D09EB4B8026CD,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214629Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:58.161{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F554B2576548FACE0FF362CB0F606D8E,SHA256=BFE03C34CC626AAB4EBE01A6E8D1E764607E56802F591B8A9B5E3680F15CC89E,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:55.611{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53261-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000285476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:59.653{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-123MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:38:59.480{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FA0F37370669D2E64E41E1D3086E3B9,SHA256=61A38E4A35B0D7AC2B50C7ABEF4CDD6244FC97128B46A4F420F11EC6B1281C93,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214630Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:38:59.176{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=364A1EB9FD2574B62FE6636EA9F61AB4,SHA256=15B3E699B9A272498210B457B0467D2B3D704A2F44243ED4816BA1AC474A6960,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:00.513{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A4C223C953FFF895282401214105A0E,SHA256=CFAC83826FC31F208F97B0277885CB220AD500E2DA332C39FF089B635FEDE039,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214631Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:00.176{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB60DB174441958F6BBA871A1CC6C72F,SHA256=F0BC4D7DED9EE64AC1BF51595D39A7F2AD073720B09F1A2EF343055B4474725A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:01.528{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9028E12380F68E81D94ADC139972E9BC,SHA256=8C30A582B52193EC385ADD7F61B461BC4E5B0740E4F245FAB23CD732634FA6D6,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214632Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:01.192{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A83F73A8575F62EA5F39D5A17AAD9D6E,SHA256=8C871603D10B0186571487030FAFD7076D37030154FEDB1F754541C94E796C7F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:02.560{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE71963377E3DED5DA33A6A5691C4AEC,SHA256=D958698903535137BE53307B003FA2328E60A42258C3B09AD6786857252A6624,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214633Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:02.208{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41419552F9E75189E191482BEF64F43B,SHA256=1B98B23D096E0F6D3E73E76FDE566E72077472CAB7FFB77DDA15AE22A648B8DA,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:02.497{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0EC6-6216-B404-000000003802}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:02.497{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:02.497{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:02.497{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:02.497{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:02.497{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-0EC6-6216-B404-000000003802}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000285489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:02.497{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0EC6-6216-B404-000000003802}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000285488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:02.498{C8EA50B7-0EC6-6216-B404-000000003802}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x8000000000000000285487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:02.263{C8EA50B7-0EC5-6216-B304-000000003802}21885040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:01.997{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0EC5-6216-B304-000000003802}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:01.997{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:01.997{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:01.997{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:01.997{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:01.997{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-0EC5-6216-B304-000000003802}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000285480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:01.997{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0EC5-6216-B304-000000003802}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000285479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:01.998{C8EA50B7-0EC5-6216-B304-000000003802}2188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000285500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:03.591{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5677A1AA13D95E366EDA9F2F0990D0E5,SHA256=8707A164B8730620AEEAC0C8B41AA31498C339A270EDB54EDC26A802DC9E11BC,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214634Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:03.208{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E57D82C104307CD0FE3D0750CE04E2E7,SHA256=1F595F1BF01D5DDA33689C3C2A5F9C01C77D6582DDC2142EFB4AE06FD84BB69A,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:01.598{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53262-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000285498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:03.028{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92582ABEF2C8BF4C52AE73A1A8107A9C,SHA256=C6865A37BFF579189CD1E2DC20D965C66FB3BD5056FD786A04C2C977BEB40F31,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:03.028{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9C632E5B95FAD2C77D04C7AF5AC043E,SHA256=F3E1F92FBA943FBFEBB9086C6A880873E26E9FBBE56800C2F9D937AC71029A36,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:04.653{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=326AF583F06E17C09CE3400ADECDED28,SHA256=A56A6D3C297BD39CA9A839659A386CFAC8CDD66BB2E3A8CCB232BC1CB2DC5F6D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214636Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:04.208{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=616328BB838032624C919D660C645B85,SHA256=D9B5350236C5991A54C15798754C1EF658F9D4698BEF2889D3E4D202540BDE34,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:04.638{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92582ABEF2C8BF4C52AE73A1A8107A9C,SHA256=C6865A37BFF579189CD1E2DC20D965C66FB3BD5056FD786A04C2C977BEB40F31,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:04.294{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0EC8-6216-B504-000000003802}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:04.294{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:04.294{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:04.294{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:04.294{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:04.294{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-0EC8-6216-B504-000000003802}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000285502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:04.294{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0EC8-6216-B504-000000003802}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000285501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:04.295{C8EA50B7-0EC8-6216-B504-000000003802}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
354300x8000000000000000214635Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:01.524{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51201-false10.0.1.12-8000-
23542300x8000000000000000285513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:05.700{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C8F25AF07E71D61D3EA7CC0F72A6EF1,SHA256=392EA7D4AC22F1F0CC1EAA642EA2B0235C3B23AA9EFD68F0E085B9E59160B153,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214637Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:05.223{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E00D981C8A9F2D44D86D43F420C06140,SHA256=7DA2928998A6EA12C3E9394C5F4A1EF52E6DC252CA1259200BD604C33331DEEF,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:03.114{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53263-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap
354300x8000000000000000285511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:03.114{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53263-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap
23542300x8000000000000000285514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:06.747{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA3685AF4A5BE972CBC54AD4701E7EAF,SHA256=76778C33F3942853BCFCABEE42B553CD800F827778A40E8E7294EFAB157ACA70,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214638Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:06.239{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2059603287A085A5D8A3E07423297D2B,SHA256=E15940E6C19E023B4064A84DCD0E5BD3F2C6BA1B7ED5CD16EFD629622DC4B4EC,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:07.841{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0337B389354EAF18A458A8EA64DDC6F,SHA256=1EA3A374BAFF930ABF5FBD4A36D6E6C38C5609D18DB9EC7043EEBB6CEDD84423,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214639Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:07.333{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AC2C94AF5C73EDF2B93D2F3067DC127,SHA256=1742B9B3B3A74EEF19030AAEB7BEB5113565C1BB5CE20D7274243607C3C2CC0D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:08.872{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A61FD7A51B0BEB9D8773038A5E488BB,SHA256=6342B025F847D9BB595860AAF9B524F76EBDC0D793ADD1A3F12CFDF2FE644D55,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214640Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:08.348{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87CFFAE2D54CC320692CE3A28259E289,SHA256=C281C035B046BDE6AABA53EBAD137432243DCAFBA4A1C8C457A8D8994C456498,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:06.692{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53264-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000285518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:09.919{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D4C222ED5BABE6558D8CA52DE01626D,SHA256=E4CC179D1255488EEEE3D690A642ECE5E79850A901835DA035D0067174895407,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214642Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:09.379{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9448F4B434FDE5F67785E81A8915F6BB,SHA256=452C12ADCDA2516B0F3FAA6FC86BC9E9A44803B4C99B923BE50F78CC09849E16,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214641Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:06.600{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51202-false10.0.1.12-8000-
23542300x8000000000000000285519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:10.981{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF0892822DAFC580D54454A61BFDC19F,SHA256=64685318EF409188F21DD543D03507147332AFFF740D752269DA5B56A4079BD8,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214643Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:10.395{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAEFCA941D56FE3D519682EF27929A07,SHA256=DBE5515E147B4598E27C66457F8F82772F37F6FD22DBCA43200100456D45AA74,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214644Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:11.411{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59025643DA8FF124623DC9DCE715BECF,SHA256=BFBFD0396A6D0F5D384E1C94CE8931BCBBC495D04083E33673A564F43977F13A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214645Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:12.489{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=777E4F152DF0CE0C05D14F8DEE7BCF57,SHA256=3DE9CFE3162A61104B7E15EA3A43BBF3A6EDC65C94CCA779EF833268D7B2D158,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:12.044{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05988E2815145A6C22FF27DF3C6B637D,SHA256=E983977521084E95983BC2A728CFC1B6CE38D10DC65A97F45D260983C8556521,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214646Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:13.567{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A67E5956616C528EB0E7519E8BC029B0,SHA256=7552D62F94E945530F0A13DF49FEBA48F4A58DB914CA19C0A8460EF941C7B0DF,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:13.059{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5C87C8245064B3B10F595445287FF00,SHA256=C3F126AF19A32DA073F479715F10B2162D1DD990593605C81405ED67D65E4B96,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214648Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:14.614{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DDBD6997CCD32133A49CAA8FE5BF9E2,SHA256=8C89E636CC01785C607E42895A3C995F0DE7894037E08EC34F32B2AA9F39B2A5,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:12.520{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53265-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000285522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:14.075{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CCA1451A47D294F31CC5B5AB8E16652,SHA256=EB6E5D4F5B60AFB33E6247EE2791E9EA979DE0D9B0D405612E4AD3508DD905AA,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214647Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:12.491{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51203-false10.0.1.12-8000-
23542300x8000000000000000214649Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:15.661{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E66D5457BB709A4D2DCDD5301F74D319,SHA256=2CF2BA8E25DC54E20827FCB5F71508A4A6C25EF01CB431DE2AC47837159089BC,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:15.075{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97FCA2389ED34BC446D76A014429902E,SHA256=7E25005C23F03919A8AA53385FB6CB7CB12DB1E4BA796FB5B0204B393AF86616,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214650Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:16.723{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A7C3CF1F5CCC9CD9A1027A30EB24489,SHA256=DEBBD8776BD00E2329BF772FAD2F1BAEB4C95357D450410AAD7E4653123AE7E1,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:16.091{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0641E4E0FB11721E8367CE4318FE239F,SHA256=4EABA189CAFB1BAEC348D417CCCEF6D17C01033FFF93C913945844FA4BEA19DF,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214651Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:17.739{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C60E11F9B39FFB94D01886D12F8B24D,SHA256=9F12F2D3137E220B51AB9A5BE7CFAF1AE4414B5B02C30D0896A65E74AF3ED80C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:17.106{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C71EFDD7C913127B5A9D6F1DA8A55A77,SHA256=AD116DE4959EC689786C1934E4FFD6EB73C0389341741156D997A28A0D5B61FC,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214652Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:18.786{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FF3EBC4E929D88B0EA98F0DF46B2DD8,SHA256=6124AED551DE7C971704F78D270AF786BA4DEC435B8D5A4027169EDFBAF87E79,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:18.294{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E1D6D51366F843D11A0500D8340AB5D,SHA256=827D2B4AB1FE79B3A6B583408585F77CA7A8F36F67CB86705EEA9CE745F1FB12,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214654Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:17.571{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51204-false10.0.1.12-8000-
23542300x8000000000000000214653Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:19.786{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95B0B8CB3D401CB98EF46CE1CBD87234,SHA256=B84C03F0110D16389D6A684546A57330E6F1FDECDA8CB7D9E6B74AF8E38B7C7C,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:19.684{C8EA50B7-0ED7-6216-B604-000000003802}47764192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000285536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:19.482{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63D8AE49E41554AB904EC0B0D1A76E5C,SHA256=47169EBF3CAB66B8A087A3E2030BF4D0AB7E0886412D4059143D00CE139798EF,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:19.466{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0ED7-6216-B604-000000003802}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:19.466{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:19.466{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:19.466{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:19.466{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:19.466{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-0ED7-6216-B604-000000003802}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000285529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:19.466{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0ED7-6216-B604-000000003802}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000285528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:19.466{C8EA50B7-0ED7-6216-B604-000000003802}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
354300x8000000000000000285559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:17.646{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53266-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
10341000x8000000000000000285558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:20.872{C8EA50B7-0ED8-6216-B804-000000003802}57125748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:20.638{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0ED8-6216-B804-000000003802}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:20.638{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:20.638{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:20.638{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:20.638{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:20.638{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0ED8-6216-B804-000000003802}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000285551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:20.638{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0ED8-6216-B804-000000003802}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000285550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:20.639{C8EA50B7-0ED8-6216-B804-000000003802}5712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000285549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:20.497{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=413D6227EB4655C8F12EA0F234F2B531,SHA256=70CFCE0DCE50C3A6297AD3FEA2DC8244FB2329833C5441403D82373E06375DAC,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214655Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:20.973{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B7D8AC4375A8BDB757C5F3F0EFE9F5E,SHA256=0E334CB7B99E4ACC6D3DECAF83EAB72CAE36B5BB8FF8C4498D3F03C13402296B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:20.481{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C504098ACC63DCEEE22411F70CD997E,SHA256=3DD8E44D3054D8415C6B65A53EDADF6DE8C77FD4239B6092E3EDF6E9CEF85643,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:20.481{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9522F7DA080006F4216E9A9D382A3247,SHA256=F5B6849B94E2230CA0DA2A6FCB047DA19C1EA7238C77068198F5ED30C280DAFB,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:20.372{C8EA50B7-0ED8-6216-B704-000000003802}11485296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:20.138{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0ED8-6216-B704-000000003802}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:20.138{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:20.138{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:20.138{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:20.138{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:20.138{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-0ED8-6216-B704-000000003802}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000285539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:20.138{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0ED8-6216-B704-000000003802}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000285538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:20.138{C8EA50B7-0ED8-6216-B704-000000003802}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000285569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:21.716{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13A465903D84F85E2DEC718213CC9836,SHA256=4BA97202C66D3DDD87FB5234AAAA5755F7FB975FD50F5F182FF7BEB4785B7F1B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214656Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:21.989{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D38F55C902346DF1A2298B57303A216,SHA256=FC44ADDE2CF7A19E3AF1F184BCA9A80D0552DCDBAD33906BFC74AD0C5538BF4A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:21.669{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C504098ACC63DCEEE22411F70CD997E,SHA256=3DD8E44D3054D8415C6B65A53EDADF6DE8C77FD4239B6092E3EDF6E9CEF85643,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:21.138{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0ED9-6216-B904-000000003802}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:21.138{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:21.138{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:21.138{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:21.138{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:21.138{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-0ED9-6216-B904-000000003802}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000285561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:21.138{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0ED9-6216-B904-000000003802}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000285560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:21.138{C8EA50B7-0ED9-6216-B904-000000003802}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000285570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:22.731{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FB62FB377ED6F56BCB5A887BE7EC3AE,SHA256=4D7DBCB4C156DFF8E6D460FBB23E5BE76A1296FBFC69A6240B72407281F14B13,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:23.747{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87EE72DFCB8551E908DE1A29DC78B26F,SHA256=AFDAA34DC95FCC5959AEC22BFEBE17F65AFAA406F88B0AD9DF80C0F748B2D216,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214657Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:23.114{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E76A2D498A77BBF70408499548DEB95,SHA256=F7E7BBCA183539D551C8524E913EB8EA3E0BF7B8DE5996401F962CB603EB1786,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:24.763{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F92560D0FADF192CE4AA3E06B862150,SHA256=3CCD9A2A641B8B3288F342F631095CBE84E975465ABB4B799DE5E3FBF01BCF92,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214658Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:24.145{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF014190F7D2156718A500509204600,SHA256=803781202752EF68D9C12DFC60B18B1899A7666ADA8341F2C0BCEFD29A079F82,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:25.778{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09676755230A70910D08594F6ED87FE2,SHA256=AA8B53D4DB8C9A47A1CAD7C8BA0E812CD4B7351D7621A94063215D08FEE5AE4F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214660Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:25.364{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97BCB8E459A6D057AECDA2E51261CCE9,SHA256=534C5C44C21CA23777935B9335D20E319ADF63505802D86B90E23E0530E713E1,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214659Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:22.585{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51205-false10.0.1.12-8000-
23542300x8000000000000000285585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:26.794{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66B407D5C0C66CB9B354011CE63DBA85,SHA256=E1927B5CB8DDC392C2A496D6C1B04DE9B2B91ECB07A06E17070B07B20D6CD1B5,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214661Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:26.457{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27676BC030AD900CF2ED37A6B009F39D,SHA256=395300C3A8668274B2BB01554127F7584436231F95F68AA52AD43499919F9EE9,IMPHASH=00000000000000000000000000000000falsetrue
13241300x8000000000000000285584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:39:26.638{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006)
13241300x8000000000000000285583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:39:26.638{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x007454a3)
13241300x8000000000000000285582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:39:26.638{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d82899-0x3f3466f9)
13241300x8000000000000000285581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:39:26.638{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d828a1-0xa0f8cef9)
13241300x8000000000000000285580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:39:26.638{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d828aa-0x02bd36f9)
13241300x8000000000000000285579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:39:26.638{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006)
13241300x8000000000000000285578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:39:26.638{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x007454a3)
13241300x8000000000000000285577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:39:26.638{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d82899-0x3f3466f9)
13241300x8000000000000000285576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:39:26.638{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d828a1-0xa0f8cef9)
13241300x8000000000000000285575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:39:26.638{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d828aa-0x02bd36f9)
354300x8000000000000000285574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:23.600{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53267-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000285586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:27.809{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD79522DE52C82590498000B9BE0D1C0,SHA256=6CD850E394E09597F3CCEF6DCFDA2144539AD60E537C7E1A8F220AAE593C4ECA,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214662Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:27.473{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53396A2536985A13EC3A8CE3BE71898C,SHA256=BDECF3B68A1DF56A70D49411DF11CD416BB6639D9244375E4223F801A3ADB727,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:28.872{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AB18C2AA6DFF5C10A59F5684230897F,SHA256=3C6AAFE1BECFEC5470F35A71F3D1DEECCC9629D7AAFC781350171A21B70E15C9,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214663Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:28.489{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3571FB1D69801C3AC0D4CC5567365D9,SHA256=0160B2A6F900976245E51CDA59281481956CBD916C757F32272F73997319A299,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214665Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:27.663{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51206-false10.0.1.12-8000-
23542300x8000000000000000214664Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:29.504{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDBDDDB9788E77DDC7E3BCA86C492D5A,SHA256=D63E55AA912423CFDFCFBDD8B97F235B3D5FFD3E782516EBFBFF96B5F7BDC224,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214667Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:30.507{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA8AF1F74DFEA8BFA04EC97B220DB81A,SHA256=E08ABA209C5106F8B74CF2A0B8628B37A9DE76B8B10B8CDBB3EB4BCEFFEE9207,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:29.997{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14C6A650CFC94963C8420E50A15A84EE,SHA256=5E3070A66B93CDD24BBF7E02A42311CB28F6DE0CF5B2A216DC8FC4D718B20051,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214666Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:30.239{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=269CFBDEC90468D3665C4A105C7804CF,SHA256=20D7C66C14E639999531E29DAF1F4FE26B8F4BA8B52953F402475716AF9E4CF6,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214668Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:31.520{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D9813237D6FA77F442263087FD3EBAA,SHA256=DB10791A370B725B693B59B6C517D138B8C6E2333A96D5EB4AF5FB39E2B11DC4,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:31.013{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CAB7E477915F95AFABE8F51D5D5A171,SHA256=23827C0DA08C21A35CA4936B3A738A1822E443E251E97EC8B4FB7CC781426311,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000214672Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:32.692{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1300-000000003902}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214671Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:32.692{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1300-000000003902}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214670Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:32.692{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1300-000000003902}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000214669Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:32.535{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A91692839BE684932FA845F2C78A1A2,SHA256=1633B2FA2D560B44DDA67D59A40201B3517E05C144511629F3F0C7161F274213,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:29.551{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53268-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000285590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:32.059{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F02A40F7E732FE7F2261667CF9C52B0F,SHA256=66A0086F12A46F3460129EC15012A6FC28276FF5393BF9527D6D6EEF134E2876,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:33.278{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C091E4E468F09D2BF662A18C0D674EAD,SHA256=F0F3FA5D6562D6C41FC2EAC98D962C9D120FB0D05B95481A969D1F5A954C2433,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:33.122{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEDF2357BB973404DC4E605D24B3E241,SHA256=AC5829844C33BD3C87D7D60D18D66EFB6BF8DB0FAE80931020EE745E730EC0C5,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214673Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:33.536{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C6804EECC0CF6EFDEC30B20174BF23,SHA256=067F7AAAECDE7A3B348B87D461DE144A10CAA97A1499410751A7316CE80BC3E7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214674Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:34.551{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EF39A3D40795E99FB28F08153A1A2F4,SHA256=BFB4CA5138CDA48C6557BB78FB756E20A9A2709667187BDE07B35FE1D4B823F8,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:34.200{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32FFE7D0338EAA9847978A50BC35BEE2,SHA256=790BE8C24F8F8B8DE37FA56402C5F8A0C0D8495F9C8BD9055426CA35A307415B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214675Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:35.567{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02FD7BFBAC6F05801512DC1F77983086,SHA256=AE232835A9F39CD1EEAC0CB7F11CE377443FFA056A4BDF20F09EE3F7B285F684,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:35.216{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A155E736A9DB2AB4111FA5A8347C9351,SHA256=F3D1BAFA9937D0FFAD750F1ED76D91158B65D74DDB64A20CF5F6E7DC94D875FB,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214677Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:36.614{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F915261B7750AD12F16C7AFC8908837,SHA256=8117CFCD60F1387CDFB8BA3D3FA04EE53CA4546B35C803815997AD00CB8534AA,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:36.247{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E8E37C8E3146AAC576D3916BC5CB115,SHA256=98DB7CFE30422E6224903F3229DD1B6516E48BB073545D085989F054281E2035,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214676Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:33.678{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51207-false10.0.1.12-8000-
23542300x8000000000000000214678Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:37.848{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B6C3BBF66D0A54A24BF1AE6D4E1344F,SHA256=E34564B058041ABDC6F83C0744FF699E37A0C0A9E7A37478592BB1AF6443C622,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:34.707{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53269-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000285597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:37.309{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12A4287784F7003D7DB3C01FEAEFCD0C,SHA256=4892C3BC5A7537DBB6EF4A292C6EBC0C3E61CE7150C22BBEE66D7CD8034B71AC,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:38.356{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D914B1FEC1431EB338969730EB187A4,SHA256=A067ED183721AAAB1FAB961B786AB2C2DA419851939383158D8B3A0CDBEB712C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:39.497{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:39.403{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABAB7B2426DEB1BE36B3FA666C9746E6,SHA256=D85D99DA144D42D2A1BA6187C6E4455DDBF5C6023B63DE2D0B4C93E0DBA53AC4,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214679Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:39.067{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3F137874D7DE24C7472A8C0EEAB32A0,SHA256=21B5ECF45B77F3BA4E3C4F6E698B6192758AEBDDC043463B8CC80A899159B219,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:40.419{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4ECDFADA5C9328F00DBB7F3EF60A4FD,SHA256=2E610506514539F36220F39FB8B6B7CE2D257DC6443E417E6F2F300FF288F564,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214680Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:40.317{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13506760FAD0C4AA128C295AA27E642A,SHA256=1F3DD4ADBDF428728B547E52778DA210032CC9407803C8D9E2C75EA69BBC2A35,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:39.723{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53271-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
354300x8000000000000000285604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:38.960{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53270-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089-
23542300x8000000000000000285603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:41.434{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23B886FDB8CB303909B9B66B5F15A25F,SHA256=96164C05ACB36E5AEBE82CE22F4DABADAD5265C025F9493F9BB542B12B513D4A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214682Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:41.478{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-123MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214681Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:41.477{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E125DB5B726F70EB6B22B78EC8339843,SHA256=CECD99C55CB779F22C4888EF528A4DB5D15CEBF981E84B99DF290B15007B3EA9,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:42.513{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D342883BFDBE146E7DD0FBCC7E8FEA94,SHA256=2B120811B183A074F6CE6B800812EBF2B6342D32CD9F9A1BF83E4DA9CCA24BF2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214685Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:42.499{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13AB0F152457697DBF560E21609DC6EF,SHA256=77EBFBA24B5DFC61391BD3611AEEDE1CDE8206D26687173D004E781000FFE6B7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214684Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:42.492{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-124MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214683Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:39.647{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51208-false10.0.1.12-8000-
23542300x8000000000000000285607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:43.575{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CD62AB3DC942A8982D81BA6DE872CAE,SHA256=9E4FEAEF664EDFB01837FAB6685F0C2D4140E41BF580827CD37710F6DB588732,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214686Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:43.506{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F78B9E5987D7FD0A1D36A9A4A3980D2,SHA256=06143EF005D74684B677DE92F81E5713422048A00F091FECB3A55D8E90F59267,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:44.747{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4BAEB955DE266D14FBB0364AE93655F,SHA256=2B5DB15F9DCE4E798757F09C548B712E17B9210E39C115897A371C91E7618D8E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214687Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:44.615{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AAF2462A89A2E8480E90B5383458E64,SHA256=4E8B03E1E7DD0127E31D1D1F345686D054EDA857884DAF97F87BAECFE70C3F6A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:45.747{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F88490C0A302BAA0F7190E4BE5F0FC9,SHA256=FBCB2353D148D22DA090A3B7ABBA59C0EC857990A0A736371850BEF32550DC56,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214715Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.756{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000214714Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.647{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0EF1-6216-0B04-000000003902}2316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214713Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.647{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214712Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.647{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214711Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.647{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214710Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.647{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214709Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.647{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214708Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.647{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214707Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.647{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214706Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.647{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214705Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.647{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214704Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.647{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0EF1-6216-0B04-000000003902}2316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000214703Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.647{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0EF1-6216-0B04-000000003902}2316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000214702Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.648{4F8D34B0-0EF1-6216-0B04-000000003902}2316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x8000000000000000214701Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.430{4F8D34B0-0EF1-6216-0A04-000000003902}20683136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214700Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.147{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0EF1-6216-0A04-000000003902}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214699Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.147{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214698Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.147{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214697Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.147{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214696Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.147{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214695Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.147{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214694Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.147{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214693Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.147{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214692Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.147{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214691Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.147{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214690Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.147{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0EF1-6216-0A04-000000003902}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000214689Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.147{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0EF1-6216-0A04-000000003902}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000214688Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.147{4F8D34B0-0EF1-6216-0A04-000000003902}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000285611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:46.763{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84F3C4246229CF9DE1525BFC14CA6336,SHA256=36C71907DEDEF45053B9D6974B4A46674F28DD68A94A7C398B8891AE9E4BB9E1,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214720Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:46.772{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B14AFAC961339BC702641399BBB4FF8F,SHA256=CF83844A1E99F83F318D5A03AE0EA8DC54D34CC6D8A1B2134303CFE6A08DFA85,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:46.575{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-F2AC-6215-B700-000000003802}4292C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
354300x8000000000000000214719Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:44.680{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51209-false10.0.1.12-8000-
23542300x8000000000000000214718Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:46.162{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A27FD491B3467D94A9F6D898F12AA93C,SHA256=76233BCB193FD23BEAFD42E0E450732CA04551505E306E25657CF53EE9FEE6AF,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214717Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:46.162{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D92C9152F3B6C02EB2C5560D76EAEE8,SHA256=11F4D99326B333B3E4A250C1EBA59D7B7B405E6C2E09D2AF597ACEF0F46E7C5C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214716Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:46.084{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C04E6FA7C2184F8F4D08A02C3E021EA,SHA256=E1C1F04410953B3BDC54B77E41D1A95822EBEA8D1FCC3BD21387F12E4D2797BB,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:47.778{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BF5ABED96E80AFC6A71BA0FBEAE68F4,SHA256=36013C4432CE7EF9E7C44D3DE863F25E3E7AD0361C6478AF8D7424CF5FD8D87F,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000214748Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.943{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0EF3-6216-0D04-000000003902}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214747Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.943{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214746Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.943{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214745Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.943{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214744Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.943{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214743Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.943{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214742Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.943{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214741Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.943{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214740Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.943{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214739Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.943{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214738Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.943{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0EF3-6216-0D04-000000003902}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000214737Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.943{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0EF3-6216-0D04-000000003902}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000214736Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.944{4F8D34B0-0EF3-6216-0D04-000000003902}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000214735Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.787{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9F309A5F65F62647F33C917089B87D3,SHA256=DF15141AAECCCA9F08B287E9D640FCC36394334AD44307B51DE396CE1E5B21A7,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:45.566{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53272-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
10341000x8000000000000000214734Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.443{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0EF3-6216-0C04-000000003902}1156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214733Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.443{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214732Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.443{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214731Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.443{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214730Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.443{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214729Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.443{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214728Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.443{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214727Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.443{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214726Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.443{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214725Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.443{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214724Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.443{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0EF3-6216-0C04-000000003902}1156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000214723Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.443{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0EF3-6216-0C04-000000003902}1156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000214722Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:47.444{4F8D34B0-0EF3-6216-0C04-000000003902}1156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
354300x8000000000000000214721Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:45.167{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51210-false10.0.1.12-8089-
23542300x8000000000000000214751Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:48.912{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B82E07FFE703DD0CEF6E47AE00CD96A,SHA256=8FD0F30BE8F445DB7A19B71152FE674CCDD4D00F62D8CCFB30ACF9F6E57CD927,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:48.809{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CE86B6FBF4A04175BF1B8311A7C4843,SHA256=FE54BE8DB761AD20EA4D66C971B3FC5EF73CC1194EE2851D1979AB5FB8D51B65,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214750Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:48.678{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A27FD491B3467D94A9F6D898F12AA93C,SHA256=76233BCB193FD23BEAFD42E0E450732CA04551505E306E25657CF53EE9FEE6AF,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000214749Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:48.100{4F8D34B0-0EF3-6216-0D04-000000003902}32161868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000285615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:49.825{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D18B07A3CD1B13C136FBD70192140D57,SHA256=47F97C7604D0855AD1D3C140E7AB22DA0795B5B545EA1F60F510835696663AD8,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000214778Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.818{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0EF5-6216-0F04-000000003902}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214777Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.818{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214776Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.818{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214775Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.818{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214774Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.818{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214773Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.818{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214772Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.818{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214771Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.818{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214770Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.818{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214769Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.818{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214768Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.818{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0EF5-6216-0F04-000000003902}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000214767Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.818{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0EF5-6216-0F04-000000003902}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000214766Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.819{4F8D34B0-0EF5-6216-0F04-000000003902}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x8000000000000000214765Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.537{4F8D34B0-0EF5-6216-0E04-000000003902}18604004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214764Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.318{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0EF5-6216-0E04-000000003902}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214763Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.318{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214762Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.318{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214761Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.318{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214760Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.318{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214759Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.318{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214758Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.318{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214757Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.318{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214756Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.318{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214755Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.318{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214754Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.318{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0EF5-6216-0E04-000000003902}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000214753Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.318{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0EF5-6216-0E04-000000003902}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000214752Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:49.319{4F8D34B0-0EF5-6216-0E04-000000003902}1860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000285616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:50.841{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AAA6DA04A15B7F673FD11E067D63276,SHA256=CE9780784BC83B63C51167918704C7F541E7CAA83B67414DA484AF22DC448769,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214781Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:50.334{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=453D3B028A33D2F1EC35A347BB4A8519,SHA256=F18FA3382CA4CB83D0FBC20D85B845F7EFCBEC29D1513F2915E574B2EC14145C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214780Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:50.225{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE5164B1DCA74AFE2DA94ACA98FF2B9A,SHA256=5FC6EE2F96666986A7C6C08CDAA96F8BAB335E1857E760B99B996E96023802C7,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000214779Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:50.053{4F8D34B0-0EF5-6216-0F04-000000003902}3652644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000285617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:51.856{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=880E4736A8C01371319813A18C85467A,SHA256=EC0271ABDE2592AF9B8AA0E8E883A6738C880D7955F7E7BCD70C273CECCA2248,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000214795Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:51.490{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0EF7-6216-1004-000000003902}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214794Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:51.490{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214793Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:51.490{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214792Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:51.490{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214791Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:51.490{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214790Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:51.490{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214789Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:51.490{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214788Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:51.490{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214787Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:51.490{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214786Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:51.490{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214785Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:51.490{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-0EF7-6216-1004-000000003902}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000214784Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:51.490{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0EF7-6216-1004-000000003902}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000214783Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:51.491{4F8D34B0-0EF7-6216-1004-000000003902}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000214782Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:51.100{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2425A6BDA8A2B1645757CE0DA5B1A5A,SHA256=CB3EEC9908E2F7C93DD82213947EECA9A268AB99D825339C62F79B336C6AA215,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:52.950{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6BAA6FDD1127947CB5A94118AAC5D17,SHA256=6763559843FDD9CABAC0356FFDE07FDB080ABE80147370145C6922DD826DDD4B,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214798Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:50.540{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51211-false10.0.1.12-8000-
23542300x8000000000000000214797Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:52.490{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8A732FF6F913FC574655C422AC7A16B,SHA256=A8EF138222EDDF5F34AFE424BD1285D364901FB36F89632B0E614A50F867ED0E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214796Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:52.147{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D658E91BE977117EEE848F9C7F5A5092,SHA256=DE4FFB992E814435736FC490A42AA13185FD2F5B2CCD48E274A3AFDA05B55A3C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:53.966{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A71880AEC946D9E1B97D031D442EADFB,SHA256=D5778E03BC5B55382EC004E6FA006CE756A2BE072BF9C9D2FD1EF2A6DFFC32B9,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214799Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:53.178{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69928E15A9530AC268FE5A7CEDD1B6A4,SHA256=62F41C740CCD52B2DBA93833FC239C0C1D2C7AD315EEDE23E413D4F9EBB58935,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:51.551{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53273-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
10341000x8000000000000000285621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:53.263{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:53.263{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:53.263{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1600-000000003802}1208C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000285624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:54.966{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32479418C7FA9D248C8F3BE739636B2B,SHA256=F8E6C77FAE26F21D221840AF755FA2532155948592E2CBA35CE69F7F4809801D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214800Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:54.412{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52388DCABD36556D74006A02C5FBBB56,SHA256=A2D6AD22E645CC8CE8F251129CEFBAFFB1D32B9D9BA9E2FAB4E4A028649A7C30,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285625Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:55.981{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C4726CD35449017F4CE8CDCB3D7D662,SHA256=B74B3160333C3924FCC5BA0E5178655860C070452A79FC2AA9B27AC132C5CB37,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214801Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:55.631{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D58297D054789584394073E3115E9E5,SHA256=D82669FEE8E137230545DEA14391804BAA22FB17E1F794800412EDDC4EBECE89,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214802Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:56.646{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F79F13BC112DABC09B477C3FA936349,SHA256=C0F9C6AB11B6A83A3CD309E048EFE0EFB036FA6717497CEDB71D22FC58516E04,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214803Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:57.881{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B60AB19BC193BFD39AF8AA7B50E371C,SHA256=E502537230849A69E68C0F611B14CF8C6567611DDAAB12A1F6669816A2EB1616,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:56.997{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EDBB2C866A1104EAC93AD5CD5FBD791,SHA256=64784E8CFE871FF4CB80E98FDDB0EDC340EEBD3E6E26BD6DAE79A234B17B0D3D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214805Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:58.928{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCEE7E6B0E188F6ADBEEA3035A28AD7D,SHA256=49597DC7E9BFBC31B65C2016017D87E53F3F615606F1DE8139375374C3EB2231,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:56.723{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53274-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000285627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:58.013{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D75B624A5E1DA41047EDDDBBED22F86,SHA256=1C7129F1AC553BBA2AACAE5C4C92133B5160556BD416A5BE96EFDDC143FFE97D,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214804Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:55.586{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51212-false10.0.1.12-8000-
23542300x8000000000000000214806Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:39:59.943{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B746DE15BDB24185D1B69E65721B1C3F,SHA256=16B24B1C605FFE773D145979E4E42B856954C205A6F1800956B8088653F86A3D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:39:59.044{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86C96150504D1E4A13C21B42040A37E5,SHA256=D22AADB9E0DF77B042FC4886BDDCB28BB05558AAF80F1FAAEF37A5E036E22A2C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214807Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:00.959{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D5F2DE08BDC506D46793EAFB94E2718,SHA256=AF7C21DBE725CDFA2A98C1D37EBF2B30B572C0039AF80FEBC8A94C0582D3A705,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:00.173{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-123MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:00.061{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B46C4827F1DE12CC8464D9D119CFB40,SHA256=1BF9F9E92CBA65172C0C1170BA4675192623055EDF8017C568D1831B05A4D5CB,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214808Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:01.975{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=714BD72123A3C5C382B89DBD0DD82E80,SHA256=01281145E4A18B989DEFF2628B62BC4F5F7321EFA21ECA910A5061A6D3C85E7A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:01.176{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-124MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:01.112{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8694BFE9B3877ACCA75F1321B14C98F1,SHA256=B4CEC5409CACF0BE82D3E817F5FF442625878ECCA2BD9A53E87968AF0F254650,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214809Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:02.975{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F719809433372DF576645C4FDEAD63EB,SHA256=70AA69660F749C69484D6D4FA3B04675223083CCE0C1FEA98146B18D627A0667,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285651Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:02.677{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0F02-6216-BB04-000000003802}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285650Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:02.677{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285649Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:02.677{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285648Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:02.677{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285647Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:02.677{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285646Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:02.677{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0F02-6216-BB04-000000003802}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000285645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:02.677{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0F02-6216-BB04-000000003802}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000285644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:02.678{C8EA50B7-0F02-6216-BB04-000000003802}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000285643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:02.239{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9240FF4F509559FD3AEC560971763F4D,SHA256=81A8457449FEF179C5FEE95A03B293863CF8714646E863D7306B65DEC2C2F0F5,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:02.161{C8EA50B7-0F02-6216-BA04-000000003802}2176300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:02.005{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0F02-6216-BA04-000000003802}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:02.005{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:02.005{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:02.005{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:02.005{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:02.005{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-0F02-6216-BA04-000000003802}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000285635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:02.005{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0F02-6216-BA04-000000003802}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000285634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:02.006{C8EA50B7-0F02-6216-BA04-000000003802}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000214811Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:03.975{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62F5CCDC0B25F4528FAC09C0F92B0136,SHA256=290C2C217282498985CED479772638F823CB67CA2E9E8843605DC029B0411F93,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285654Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:03.255{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0636CAB990E7E86557E45CFD199B211B,SHA256=CB1E5D7937788EE54D66DEEBEBC4A470E2F3A4359EB65F978BDAD9E65E166D63,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214810Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:00.649{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51213-false10.0.1.12-8000-
23542300x8000000000000000285653Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:03.036{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=743F77D6842CBC5EB3D4C7F5E96AC50F,SHA256=02B59B8D48ABAE687EE57E28836A48D7C8EDC4F224C10DCEF70867A741139EA0,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285652Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:03.036{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E2BF5340F4905530D5E7B15185426EE,SHA256=20B4A61A507D8B4FE21CB56894CE2016D3A3CB14BA5FA0861E7BF24B569A1130,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214812Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:04.990{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D70021952CF54FDEB1D1CEEEF68F72,SHA256=5FF6BF4C23093DCA3470872B3CC1927650CB480FC208B118870C67BD13F8F894,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285664Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:04.646{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=743F77D6842CBC5EB3D4C7F5E96AC50F,SHA256=02B59B8D48ABAE687EE57E28836A48D7C8EDC4F224C10DCEF70867A741139EA0,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285663Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:04.302{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0F04-6216-BC04-000000003802}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285662Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:04.302{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285661Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:04.302{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285660Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:04.302{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285659Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:04.302{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285658Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:04.302{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0F04-6216-BC04-000000003802}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000285657Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:04.302{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0F04-6216-BC04-000000003802}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000285656Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:04.302{C8EA50B7-0F04-6216-BC04-000000003802}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000285655Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:04.270{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C265F72A13F1E130D4107FFB5F69208,SHA256=D0196094811BB4A05332BD5C137C33C8B633003F8A3A16B9676391B425728806,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285668Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:05.286{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=277EBFA7FD6A8D50A5486510E78C9981,SHA256=D5EB75B1572FC4D033526152F4C7744468443CE1602741A630FE0707592F8864,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285667Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:03.121{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53276-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap
354300x8000000000000000285666Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:03.121{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53276-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap
354300x8000000000000000285665Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:02.652{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53275-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000285669Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:06.302{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F95B3E84E4F3C41CE807475B720FB9E3,SHA256=7FE60154063AC0E6A0701CDFB55444A5D243A9A4BCA6EFAD499BF2EE8D6F1D23,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214813Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:06.209{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ED9EBA7819DC9EAAC8D1B935FF703AD,SHA256=45BDE014D77A82C049352D138AC82591765CEA47812D01CBF995603AAD38F7CF,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285670Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:07.317{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CD6588A01E8A1289B7B04AA3B72E399,SHA256=E5E51A3474107C989C735A59F05BF1BFDEAA8E7FFAA57A4CCCA81D853C519006,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214814Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:07.240{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79068F1220051CDF12149B9132237499,SHA256=8AD4994292C47E23BBD719FB7AE1AEDC2F3064222BE77F3C85D0ED87E6313490,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285671Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:08.333{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04B2AD7493E8147AFF524C60A7EEAE45,SHA256=973ABE0AD16F4D5B2146CDDC5BC6B680A433ABA7902CCD781E9BD4A9769722BB,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214815Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:08.271{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D73834F3E389A45162305E2274DD1EB2,SHA256=7787E3A74BE6C8C9BAEE975624AAA8141530723FE16BAFC70AEBA762AC221169,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214817Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:06.664{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51214-false10.0.1.12-8000-
23542300x8000000000000000214816Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:09.303{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CD06C53B74AC012846CB391ACDD33B1,SHA256=266A086E65678B82988035E6677F55BBE706EC9E8381BE09EB39A020D3966C1E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285672Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:09.349{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=799B03B6CAA47061D950D0321AEC7C1C,SHA256=55C42DBC8D9E6449E609B4D4A1D6A1DEFB5AE90CFA46B0DE9BDBD0C773C932B9,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285673Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:10.364{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D03617D074AF9120ADC4E2925231179,SHA256=155053CA84525849755B7A544DD6E149B58CE8884FA9176A73998ADCC257C8A1,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214818Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:10.506{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1D6435BBD8027B694BB9D6B8CB40AC1,SHA256=23F1B16AFFD01E5C216D69A59ACF32D957C8C96DB48533C30A97455B485430E4,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285675Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:11.458{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CF6FE7F386100B10F9CEBD84B709A32,SHA256=6C7C92824D3E74A3C9A8E8AB4E0E692F1FE491FE2A4579A9401C992097F84D60,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214819Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:11.506{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5FD78BF7DCB022BADB28EE8872C776,SHA256=C876B9A3B5AF105E8358E625620A109F824A197214D98BDCDF48C7BA2A7AAB38,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285674Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:08.621{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53277-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000285676Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:12.474{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE24D76EFB8F21EEF4FE4F58B95059F9,SHA256=4EB5BA19EF1FF91480425F3414B1F4E8955F2B65C8E2E57CF8C5FA1260B5BB85,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214820Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:12.615{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3984B67EE4F851B389E2C4E032528F8,SHA256=595E6F2E3A374C467982D8604B8D9ED43CCD3B3BE17553D04086E3D8C089ED8D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285677Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:13.567{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C99BC218F48C66CA784059F17F76899,SHA256=05179F0F82AEC5B2BACA8F193742464BCC73301450386883F88E10623EB22E89,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214821Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:13.834{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70B988EFBE4FB893EB90DC1BF82AE1A2,SHA256=637BF5E826594705549935B163B3CB2689BB2AAAD53E00D33CF36A4205E5F5E5,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285678Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:14.583{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C196704BB8971E9C9646175C25D8046,SHA256=7254E6875944CB38C302C21C842D0671F6446F17C01472394CE87756BEF59B9B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285679Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:15.583{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=704C041B9193E88A954DDD852A70B717,SHA256=8AF4AAA688D47D7BDCC9D02D9CB6369DEA7C677DE3B746EAFCD4F4AD7435B1A9,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214823Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:12.493{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51215-false10.0.1.12-8000-
23542300x8000000000000000214822Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:15.006{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C6B025227EAA96A7684AA630DCCC309,SHA256=CE5428B8EB2FBF3420C31427EA7A2FC076EAA96718547B3BF165B7A3F615EBDD,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285680Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:16.614{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE0E28BFD244199D650784481929185E,SHA256=2234F93F37D51A0314557A9B6229984560407E5F0104E8C5FB234102B9EF8885,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214824Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:16.053{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80F2F4B1D58F8BDB6967E11914DE5045,SHA256=E060644262EA67D968C4A6B6ED686CE8E198BA58B00E9D450485767E4283BBA8,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285682Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:17.677{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94A7C0317DCD943BE226D96CB0CBA41A,SHA256=7C3D9D38654F36A3D6CF518C13A6D1380CC47FC626E03456382AAE7FA1C4C464,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214825Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:17.068{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C18B268D1348D08C62BF9142BFCA397A,SHA256=F7D9F2F624A8420E31A71AF692196F40AB54DC522966434F5578A444DCA8926F,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285681Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:14.559{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53278-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000285683Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:18.677{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31B6715503D4AB00F51D4B522B70EDB0,SHA256=305DADF9253CB952B00C774E209508409D84101A804FD9F2381CA8CA58724BF3,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214826Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:18.084{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD52CAF957B87139C20E71201A2F6E8C,SHA256=700EFFBD7F59888B2633BF3D49B2BC7538B517F10B5175ADC3C7284B80CD027B,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285701Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:19.958{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0F13-6216-BE04-000000003802}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285700Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:19.958{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285699Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:19.958{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285698Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:19.958{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285697Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:19.958{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285696Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:19.958{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0F13-6216-BE04-000000003802}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000285695Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:19.958{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0F13-6216-BE04-000000003802}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000285694Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:19.959{C8EA50B7-0F13-6216-BE04-000000003802}4240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x8000000000000000285693Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:19.739{C8EA50B7-0F13-6216-BD04-000000003802}49002652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000285692Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:19.739{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C212DAC785556E8CAF677558EE85AD46,SHA256=0324208A1F8BB21F0547A60BC0087E79D49EB607BAE819B8506ED18ED46EA8CF,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285691Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:19.458{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0F13-6216-BD04-000000003802}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285690Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:19.458{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285689Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:19.458{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285688Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:19.458{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285687Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:19.458{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285686Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:19.458{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-0F13-6216-BD04-000000003802}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000285685Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:19.458{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0F13-6216-BD04-000000003802}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000285684Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:19.459{C8EA50B7-0F13-6216-BD04-000000003802}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
354300x8000000000000000214828Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:17.573{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51216-false10.0.1.12-8000-
23542300x8000000000000000214827Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:19.146{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8BDA092C26010880432DE058160B333,SHA256=88173D86BA5A8B3FD4A54BB644D4B8AC246075F862AD34853D36080CDDCBE9F8,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285714Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:20.739{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AD37F876C384B0340D2D0A8A0EA3B93,SHA256=6BC4E6D2D277BF7F0A7972E655749EAD529938212966F269A5F37A21B3053E72,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214829Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:20.146{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21CF7111122A56906644BFBAB5A9CBC6,SHA256=4E46A27F7B423F0E89EDEED21588F720F58E6B3CF067E040630C4B0383157FB6,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285713Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:20.630{C8EA50B7-0F14-6216-BF04-000000003802}38564380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000285712Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:20.473{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1AA2CF4B98901BBFE660AC94F2EDE345,SHA256=1A4D67064C717B81AA2E208FDB8E0514870C9010DD954D08A7E37FBF2E48CEC7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285711Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:20.473{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72641051AA7C38130BBA4327C7551573,SHA256=3AAB7E3351AD2222FF05DAD048B5D6C2B9F623714022D8EC335A77A1FFEBD2A3,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285710Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:20.458{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0F14-6216-BF04-000000003802}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285709Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:20.458{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285708Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:20.458{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285707Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:20.458{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285706Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:20.458{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-0F14-6216-BF04-000000003802}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000285705Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:20.458{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285704Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:20.458{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0F14-6216-BF04-000000003802}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000285703Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:20.459{C8EA50B7-0F14-6216-BF04-000000003802}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x8000000000000000285702Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:20.208{C8EA50B7-0F13-6216-BE04-000000003802}42403336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000285723Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:21.817{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E917A473868EA490D4E6FC6EA4BB034,SHA256=B26FB2F1DE2BB8276EB10FBA7B313F34C0F56A38DECFBA8DED50EC51E770F88E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214830Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:21.162{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D36392EC97BE328AFA0BB175A311B089,SHA256=63C843BFF7C6EF11A3197F9A11E52DBD34C7210595818C5532325E2AD3EEE410,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285722Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:21.130{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0F15-6216-C004-000000003802}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285721Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:21.130{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285720Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:21.130{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285719Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:21.130{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285718Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:21.130{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-0F15-6216-C004-000000003802}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000285717Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:21.130{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285716Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:21.130{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0F15-6216-C004-000000003802}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000285715Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:21.131{C8EA50B7-0F15-6216-C004-000000003802}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000285726Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:22.864{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D326C9FBC7F61A8D37C3494BC8D9B5C5,SHA256=394AE25A150E11FE707B6114E864E9C6F1EFEBE193B7468F2F105633E61755A1,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214831Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:22.178{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFF67171699695C4B8E74AB814C3D4AF,SHA256=1C5CB4A6D03CA4A4CE9FB8C29F437CC9AD469FAC9106AD4B097412F0310FE297,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285725Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:19.590{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53279-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000285724Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:22.177{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1AA2CF4B98901BBFE660AC94F2EDE345,SHA256=1A4D67064C717B81AA2E208FDB8E0514870C9010DD954D08A7E37FBF2E48CEC7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285727Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:23.895{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A27DCFCF344E213A3E27D2D8308275CB,SHA256=8F5068EFB85983DD8F664FDE2CB30539812B20AA711FBE248CF2CCFAC63E61ED,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214832Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:23.193{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B96B7C18D7EE5C7EAF98F9BCCCBB8BB6,SHA256=9D4A7E28122B56001605EBE34E160AC52153FFCD60151B3F4B64BD59EE5E87FD,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285728Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:24.927{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C5E34B44113ABC4638E053FC025CD00,SHA256=98289EC42A8C494644DA66AC2BF9B1B958DAC1F043FA2E7D8F658D32D4DA1231,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214833Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:24.334{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5B742F9FB1FBD2018D6EB24ABF33F5A,SHA256=5316AC12E3592660231D15A420CC0D10EEC9FAFF9DBD9625F7DBB01A2C10405F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285729Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:25.973{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB5721E126CBF285700BE3D087A8265E,SHA256=3911F3D9CBC741478B923C5F7251D09F8B9E23758B0397D0277B0F86A2A12DD1,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214835Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:22.633{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51217-false10.0.1.12-8000-
23542300x8000000000000000214834Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:25.459{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F6883BCEFEE3C8178F4725B8866712A,SHA256=31A74DAD067A6F836BC239EBB1B71183C81D69DC0F292350DAB31C9B01D32D95,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285730Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:26.989{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E78AF3EE29B812C01058B65962D093C7,SHA256=BC2A1B006DE18D64A9B20C50DC421B1622668057BC655FD898C3DF3D3C602626,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214836Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:26.537{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B08D2716A23944D4AD562600A51CD679,SHA256=FC0AA3B56435D5752F5C61125C906D032796151EF3DFDD5144270BF27B682A54,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214837Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:27.553{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED7332D34695BEC69011EDA6FB540114,SHA256=1458A4730F1C4512ED488C00EFAB6D6CC8141BEF6AD1BC59807BEB0B8EC72623,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214838Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:28.553{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B9BE75A3BA85C8FB061698D5EBCA573,SHA256=16170D0C2F10EB0A90C045D010A64738AA73CCB1B99E634B3231A36EC08B72A2,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285732Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:25.559{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53280-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000285731Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:28.005{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=326812688088C4D0480DFD93B4277A07,SHA256=8E749E4807C6AE7B887C5C25CB955AC48D7964FD405F502BFBDCA4B79646C51D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214839Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:29.771{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A3F5DEDA4E0BC80AB5412DF6964B8BD,SHA256=BE7AD081E065ABD46767DC273AB1074F0B2456DCF901CB9B08211CEA5FAE6458,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285733Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:29.067{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C1C276B787D48149027F96EEA634274,SHA256=BDFF7F5C4B3B0CEB20E86FBD676A050A8D8F50846D8548EC3C125F1232CE4ECA,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285734Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:30.161{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61A2155C72CC356DC553B1E16B9145AF,SHA256=E9C810CA1F7C801DDDC574C516173261CCBCBA2954D32D73CF97BB6E8935B0DD,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214840Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:30.240{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E3946154422D18B94F95E240E159635B,SHA256=1E034AC9538C64725BF70D67380CC147D9E292A42361561EDE54EA2ED43726D3,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285735Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:31.208{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=923257FA438ABBD60DCB6FC06871FD79,SHA256=4FE6D061E85D4D1B39BAB846A5FDA7D128BFB7E53FD52630AE159C35557B0F31,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214842Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:31.006{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3AACDD7E1539F6618DA399B7F4A0D9D,SHA256=776ECC86C5999CC9A8D310BB13F14F30BDF8CA251CB60C267FF65804F3933683,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214841Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:28.681{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51218-false10.0.1.12-8000-
23542300x8000000000000000214843Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:32.053{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5CCF99FEA05D10E0318B10FDD744F7C,SHA256=F1FBE4B4506F8E11DFE9DDFF1EBB32C6D2B883131B666FA93DD48377BAFD52B2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285736Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:32.239{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7946A0ECD1DFFAEEA0399C0A59025C6,SHA256=3C8933EFB23E8D672FE7397B679F0FD23EC4D52C3CB32E3AC97D04F6945072D1,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214844Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:33.131{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=747E68BA631F8B290B9D4DF911B08340,SHA256=2535B6AF7F970C55D7E7B563B5D84F33C0A1895E0C94D94FE863CB57129FFEFE,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285740Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:31.590{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53281-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000285739Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:33.755{C8EA50B7-F2AD-6215-C000-000000003802}4856ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datMD5=58FDE1A71D2ADB272DABB3A92B406559,SHA256=555933C7D5D49EBF3648EE1EF420E0C71835139B8A8DEF8FBA64C9EBE48B0C32,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285738Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:33.286{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=030F366F3201C22FC3F32FD4E264F305,SHA256=A09E542D37D386188E683EFFC1633518656F6390389C27E1A482C653D4E13F35,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285737Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:33.270{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C49283FF816CA7201312BD409612968A,SHA256=2F3C0CC02A22FB4FE5A1A1481A71923645F03B67687CB2AE87ABE68EB9922D12,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214845Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:34.240{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A56FB5575EA788251C1B6E368148F541,SHA256=9C06C763FDB99B25D930FDC38F15957FC08D84D6E373E1A9C496727AAEE6CF99,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285741Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:34.380{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E6ADDC199605FF37A16B2A9FE973BF9,SHA256=0286B1E5FC2F2C3009943BB0C3AB0467B2974BF1AC947E46C0F0B0CE96284EC1,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285756Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:35.958{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-F3BE-6215-F300-000000003802}4808C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285755Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:35.958{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-F3BE-6215-F300-000000003802}4808C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285754Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:35.958{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-F3BE-6215-F300-000000003802}4808C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285753Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:35.958{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F3BE-6215-F400-000000003802}4928C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285752Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:35.958{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F3BE-6215-F400-000000003802}4928C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285751Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:35.958{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F3BE-6215-F400-000000003802}4928C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285750Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:35.958{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F3BE-6215-F400-000000003802}4928C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285749Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:35.833{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-F674-6215-5C01-000000003802}6072C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285748Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:35.833{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-F674-6215-5C01-000000003802}6072C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285747Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:35.833{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-F674-6215-5C01-000000003802}6072C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285746Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:35.833{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F674-6215-5D01-000000003802}5016C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285745Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:35.833{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F674-6215-5D01-000000003802}5016C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285744Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:35.833{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F674-6215-5D01-000000003802}5016C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285743Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:35.833{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F674-6215-5D01-000000003802}5016C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000285742Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:35.458{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE5705BC725A4D073C7E341D75249182,SHA256=D510090DA8F9A384A7281EF6EABA1689A27972A05F22E5A1C648F013B4C4E9D9,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214846Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:35.256{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B1A6C9293E2FDC048769E9B52E3986D,SHA256=ACE986F21590B42E6CE9A66709722F25C6F75DEC24E5C18EFF0879B8B3C2C41B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:36.505{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D86092EABF2EC71439BB959D79E9A5B4,SHA256=99F489571DE9E835609EEDBED3F3819A98316CE61EF882AE0DE3E1D3434F60AD,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214847Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:36.271{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9726C8DD8463FF0D60287ADA3BEEB59E,SHA256=946DB35AB63F276AC2A1CB255B7103BCF5DFD5F97E073331577C42BF31CFFA54,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:37.552{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00D201C2F4D95D9F5935969D2010CF8C,SHA256=0E21E2892420C5A797F63276A8B4BC95F98862B44A59A02781CF450B77E985AE,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214849Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:37.287{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=656AF4A7D3B18964CD9021C00B5ACD74,SHA256=52AED7BA4E385C0B340ADA1054E05F2377DA5134A8F573A940DA435C977F613F,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214848Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:34.586{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51219-false10.0.1.12-8000-
23542300x8000000000000000285759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:38.708{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=275606279B815BCB71BFF926A9AA24B3,SHA256=943DB8EFE714FF6F4D220038AC8F61ED2D7D0526DB0FD85F84736E96B92450A4,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214850Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:38.302{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E0EBDB0FE7D1EBFF3D81A9F50CF2D24,SHA256=443C2B3E9687C3A86545A70212F52D199EE0A8190B67A8F00E67633CBB5699D3,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:37.605{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53282-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000214851Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:39.318{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A404463F04BA4C0B68650D7364C82D00,SHA256=67FA7DF501095DAD905923A3BCE13E914A47B0DBEAE77ED93850FCF17EED4202,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.708{C8EA50B7-F2AD-6215-B800-000000003802}43485380C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd
10341000x8000000000000000285791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.708{C8EA50B7-F2AD-6215-B800-000000003802}43485380C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd
10341000x8000000000000000285790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.708{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.708{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.708{C8EA50B7-F2AD-6215-C000-000000003802}48565368C:\Windows\Explorer.EXE{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.708{C8EA50B7-F2AD-6215-C000-000000003802}48565368C:\Windows\Explorer.EXE{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.692{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.692{C8EA50B7-F2AD-6215-B800-000000003802}43484432C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e
10341000x8000000000000000285784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.692{C8EA50B7-F2AD-6215-B800-000000003802}43484432C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e
10341000x8000000000000000285783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.630{C8EA50B7-F2AD-6215-B800-000000003802}43485380C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd
10341000x8000000000000000285782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.630{C8EA50B7-F2AD-6215-B800-000000003802}43485380C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e
10341000x8000000000000000285781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.615{C8EA50B7-F2AD-6215-C000-000000003802}48563860C:\Windows\Explorer.EXE{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.615{C8EA50B7-F2AD-6215-C000-000000003802}48563860C:\Windows\Explorer.EXE{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.615{C8EA50B7-F2AD-6215-C000-000000003802}48564980C:\Windows\Explorer.EXE{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba0bc|C:\Windows\System32\TwinUI.dll+ba897|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+61d3f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e
10341000x8000000000000000285778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.615{C8EA50B7-F2AD-6215-C000-000000003802}48564980C:\Windows\Explorer.EXE{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba0bc|C:\Windows\System32\TwinUI.dll+ba897|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+61d3f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e
10341000x8000000000000000285777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.598{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.583{C8EA50B7-F11F-6215-0D00-000000003802}8881056C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.583{C8EA50B7-F11F-6215-0D00-000000003802}8881056C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.583{C8EA50B7-F11F-6215-0D00-000000003802}8881056C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.583{C8EA50B7-F11F-6215-0D00-000000003802}8881056C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.583{C8EA50B7-F11F-6215-0D00-000000003802}8881056C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.583{C8EA50B7-F11F-6215-0D00-000000003802}8881056C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.583{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.583{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.583{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.583{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c
10341000x8000000000000000285766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.583{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c
10341000x8000000000000000285765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.583{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c
10341000x8000000000000000285764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.583{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.583{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.583{C8EA50B7-F2AD-6215-C000-000000003802}48565368C:\Windows\Explorer.EXE{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.583{C8EA50B7-F2AD-6215-C000-000000003802}48565368C:\Windows\Explorer.EXE{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000285760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:39.520{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214852Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:40.334{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3440183C266204A44AFB21D193FF58B,SHA256=27E6A567FA0F4DB79C41E4B466096769F641F8CC5F13CB15D0449CC9DA4CF9E0,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:40.161{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70B5E4DAC1C8F5D8FD76A9081AAB94A8,SHA256=F458E46CCADBDB9FBA4C251FE48579B7607C0D70BB4DF9FD7C90E0A365B74A9E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214853Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:41.334{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70B9C36018F77435BA1B3C7B70EFDCCF,SHA256=74215494DB9C5D7FD161EFDF5B11C61A62B894DEAA4610906A8A51ADD4F5609B,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:38.980{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53283-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089-
23542300x8000000000000000285795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:41.036{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78428D5C3FEFA0E71C097B4305E38954,SHA256=71BC271D0CF72F3224323853509A756DBA38A6579FA142482E56233EC9E34C4A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214854Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:42.381{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28DA4C1F66EC0AB8FC15E3002AA1BA42,SHA256=EE409C1DABE3001DF073DD44DD87A35E4F5F5D40B7CCA51D6672E03F1324C525,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:42.145{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8D3B9723D41D07444632999C4CA87BF,SHA256=B28E38B788C1EC9DCA1D70E70462C7E823C041422267AB3830EA7BDE1A34478C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214857Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:43.382{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=617B2E25380DCCC6E853CDC32E887291,SHA256=232E2BB0F22D711B21E963D39CCBFE5F7C0E2B4641AC1E796C65FE8B3E329A9B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:43.177{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7923010BD7DDB8DD09230AFBCF51E114,SHA256=FC15E51C2377E59AAF2E753EFD91F4DB884DA6F42F493324608EB41BDBA010EE,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214856Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:40.633{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51220-false10.0.1.12-8000-
23542300x8000000000000000214855Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:43.009{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-124MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214859Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:44.410{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=862A87184A05B5A7BA875C76494AA4BD,SHA256=292C7A24187856B1B468E6C91A7119662AFFF9E887D62F205698250FC17C1667,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285822Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.925{C8EA50B7-F2AD-6215-B800-000000003802}43485380C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd
10341000x8000000000000000285821Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.925{C8EA50B7-F2AD-6215-B800-000000003802}43485380C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd
23542300x8000000000000000285820Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.864{C8EA50B7-F2AF-6215-C200-000000003802}4300ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\59A4FKRV\microsoft.windows[1].xmlMD5=EA79B27D8890033A611F0F54AB21F7D2,SHA256=B6CCBFFFE5C21D5D6E721F0E68BB53A6D46748000FEBC7F01BF101B5F28652F2,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285819Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.848{C8EA50B7-F11F-6215-1000-000000003802}364764C:\Windows\system32\svchost.exe{C8EA50B7-0F2C-6216-C204-000000003802}2228C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285818Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.848{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-0F2C-6216-C204-000000003802}2228C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285817Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.833{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-0F2C-6216-C204-000000003802}2228C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285816Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.833{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-0F2C-6216-C204-000000003802}2228C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000285815Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.833{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0F2C-6216-C204-000000003802}2228C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000285814Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.833{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-0F2C-6216-C204-000000003802}2228C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366d9|c:\windows\system32\rpcss.dll+3bec2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285813Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.739{C8EA50B7-F11F-6215-1000-000000003802}364764C:\Windows\system32\svchost.exe{C8EA50B7-0F2C-6216-C104-000000003802}4816C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.739{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-0F2C-6216-C104-000000003802}4816C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.739{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-0F2C-6216-C104-000000003802}4816C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000285810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.723{C8EA50B7-F2AF-6215-C200-000000003802}4300ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\59A4FKRV\microsoft.windows[1].xmlMD5=EA79B27D8890033A611F0F54AB21F7D2,SHA256=B6CCBFFFE5C21D5D6E721F0E68BB53A6D46748000FEBC7F01BF101B5F28652F2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.723{C8EA50B7-F2AF-6215-C200-000000003802}4300ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\59A4FKRV\microsoft.windows[1].xmlMD5=C1DDEA3EF6BBEF3E7060A1A9AD89E4C5,SHA256=B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.723{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-0F2C-6216-C104-000000003802}4816C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000285807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.723{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-0F2C-6216-C104-000000003802}4816C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000285806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.708{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-0F2C-6216-C104-000000003802}4816C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37396|c:\windows\system32\rpcss.dll+3df7d|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.708{C8EA50B7-F2AD-6215-B800-000000003802}43485380C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd
10341000x8000000000000000285804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.708{C8EA50B7-F2AD-6215-B800-000000003802}43485380C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e
23542300x8000000000000000285803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.442{C8EA50B7-F2AF-6215-C200-000000003802}4300ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\59A4FKRV\microsoft.windows[1].xmlMD5=C1DDEA3EF6BBEF3E7060A1A9AD89E4C5,SHA256=B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.427{C8EA50B7-F2AF-6215-C200-000000003802}4300ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\59A4FKRV\microsoft.windows[1].xmlMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285801Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.411{C8EA50B7-F2AD-6215-C000-000000003802}48564964C:\Windows\Explorer.EXE{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55bd0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8036DEEEFD8)|UNKNOWN(FFFFEA43A72A5B68)|UNKNOWN(FFFFEA43A72A5CE7)|UNKNOWN(FFFFEA43A72A0371)|UNKNOWN(FFFFEA43A72A1D3A)|UNKNOWN(FFFFEA43A729FFF6)|UNKNOWN(FFFFF8036DC06503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad
10341000x8000000000000000285800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.411{C8EA50B7-F2AD-6215-C000-000000003802}48564964C:\Windows\Explorer.EXE{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+556b1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8036DEEEFD8)|UNKNOWN(FFFFEA43A72A5B68)|UNKNOWN(FFFFEA43A72A5CE7)|UNKNOWN(FFFFEA43A72A0371)|UNKNOWN(FFFFEA43A72A1D3A)|UNKNOWN(FFFFEA43A729FFF6)|UNKNOWN(FFFFF8036DC06503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5942b|C:\Windows\System32\SHELL32.dll+dac8a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000285799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:44.192{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CA0F8669352A0118FA0DAE1552F7530,SHA256=90D4A5514E7A92C11D9D56F7D1C9FAF19D0ECDF98BCBDB6FF17DB653084E5577,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214858Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:44.023{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-125MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214889Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.772{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue
13241300x8000000000000000214888Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-SetValue2022-02-23 10:40:45.726{4F8D34B0-F11C-6215-1400-000000003902}92C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d828a1-0xd051789d)
10341000x8000000000000000214887Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.647{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0F2D-6216-1204-000000003902}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214886Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.647{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214885Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.647{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214884Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.647{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214883Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.647{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214882Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.647{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214881Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.647{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214880Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.647{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214879Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.647{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214878Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.647{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214877Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.647{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0F2D-6216-1204-000000003902}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000214876Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.647{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0F2D-6216-1204-000000003902}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000214875Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.648{4F8D34B0-0F2D-6216-1204-000000003902}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000214874Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.413{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ACEE3155900664938C6FF50A7B6DC42,SHA256=8411960E5968486DE0D34EA2B4E0603AEBAF5888F32B4DB6326890CA0BA1DF0F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285881Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.719{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D1A7E595B563C5B8CF5A58902175106,SHA256=0851804D06BE44980011E4FE0848428797F52AE857986850A7B7F6B4E32FB942,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285880Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.719{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59871437CBA0B55063B79934DF9C3F18,SHA256=363D4040BBEF443A89BE96F17DAB91CE8613FC992C05363425CC832D45C58910,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285879Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:42.668{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53284-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
10341000x8000000000000000285878Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.328{C8EA50B7-F2AD-6215-B800-000000003802}4348632C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+3c7758|C:\Windows\System32\windows.storage.dll+3cbd7f|C:\Windows\System32\SHELL32.dll+1d2442|C:\Windows\System32\SHELL32.dll+3e670|C:\Windows\System32\SHELL32.dll+80381|C:\Windows\System32\SHELL32.dll+6731e|C:\Windows\system32\windows.cortana.Desktop.dll+42239|C:\Windows\system32\windows.cortana.Desktop.dll+318b3|C:\Windows\system32\windows.cortana.Desktop.dll+320d4|C:\Windows\system32\windows.cortana.Desktop.dll+7e45|C:\Windows\system32\windows.cortana.Desktop.dll+81c6|C:\Windows\system32\windows.cortana.Desktop.dll+8209|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285877Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.328{C8EA50B7-F2AD-6215-B800-000000003802}4348632C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+3c773c|C:\Windows\System32\windows.storage.dll+3cbd7f|C:\Windows\System32\SHELL32.dll+1d2442|C:\Windows\System32\SHELL32.dll+3e670|C:\Windows\System32\SHELL32.dll+80381|C:\Windows\System32\SHELL32.dll+6731e|C:\Windows\system32\windows.cortana.Desktop.dll+42239|C:\Windows\system32\windows.cortana.Desktop.dll+318b3|C:\Windows\system32\windows.cortana.Desktop.dll+320d4|C:\Windows\system32\windows.cortana.Desktop.dll+7e45|C:\Windows\system32\windows.cortana.Desktop.dll+81c6|C:\Windows\system32\windows.cortana.Desktop.dll+8209|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285876Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.328{C8EA50B7-F2AD-6215-B800-000000003802}4348632C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+3c773c|C:\Windows\System32\windows.storage.dll+3cbd7f|C:\Windows\System32\SHELL32.dll+1d2442|C:\Windows\System32\SHELL32.dll+3e670|C:\Windows\System32\SHELL32.dll+80381|C:\Windows\System32\SHELL32.dll+6731e|C:\Windows\system32\windows.cortana.Desktop.dll+42239|C:\Windows\system32\windows.cortana.Desktop.dll+318b3|C:\Windows\system32\windows.cortana.Desktop.dll+320d4|C:\Windows\system32\windows.cortana.Desktop.dll+7e45|C:\Windows\system32\windows.cortana.Desktop.dll+81c6|C:\Windows\system32\windows.cortana.Desktop.dll+8209|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000285875Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.328{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B960BC89E7D7A2B98C496BCA2753167E,SHA256=D0B005F2097FB762638C3B6A0B0362E99FFA2C7825CDF8F9907BE0A70278C012,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285874Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.313{C8EA50B7-F2AD-6215-C000-000000003802}48564980C:\Windows\Explorer.EXE{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba0bc|C:\Windows\System32\TwinUI.dll+ba897|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+61d3f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e
10341000x8000000000000000285873Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.313{C8EA50B7-F2AD-6215-C000-000000003802}48564980C:\Windows\Explorer.EXE{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba0bc|C:\Windows\System32\TwinUI.dll+ba897|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+61d3f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e
10341000x8000000000000000285872Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.313{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285871Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.313{C8EA50B7-F2AD-6215-C000-000000003802}48563972C:\Windows\Explorer.EXE{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285870Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.313{C8EA50B7-F2AD-6215-C000-000000003802}48563972C:\Windows\Explorer.EXE{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285869Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.313{C8EA50B7-F2AD-6215-C000-000000003802}48566048C:\Windows\Explorer.EXE{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285868Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.313{C8EA50B7-F2AD-6215-C000-000000003802}48566048C:\Windows\Explorer.EXE{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285867Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.313{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000285866Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.313{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F41540BA37F6B2870EB5F727EC175C1B,SHA256=5CAA0D6884A888AEE1402B2D81C83AF6740F87C89BC822DD09312D07E01AD0AB,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285865Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.297{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285864Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.297{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285863Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.297{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285862Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.297{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000285861Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.279{C8EA50B7-0F2D-6216-C404-000000003802}1164C:\Windows\System32\mmc.exe10.0.14393.4169 (rs1_release.210107-1130)Microsoft Management ConsoleMicrosoft® Windows® Operating SystemMicrosoft Corporationmmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\gpedit.msc" C:\Windows\system32\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32HighMD5=495BFF5AE1B52661212BB65F1CFDA718,SHA256=A08EC9D2F811726BDCD71F7C5B40CDB543D092C11811A45180E569FE3F62124D,IMPHASH=ED5A55DAB5A02F29D6EE7E0015F91A9F{C8EA50B7-F2AD-6215-B800-000000003802}4348C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding
10341000x8000000000000000285860Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.234{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c
10341000x8000000000000000285859Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.234{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c
10341000x8000000000000000285858Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.234{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c
10341000x8000000000000000285857Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.234{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c
10341000x8000000000000000214873Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.366{4F8D34B0-0F2D-6216-1104-000000003902}22643196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214872Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.147{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0F2D-6216-1104-000000003902}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214871Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.147{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214870Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.147{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214869Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.147{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214868Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.147{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214867Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.147{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214866Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.147{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214865Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.147{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214864Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.147{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214863Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.147{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214862Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.147{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-0F2D-6216-1104-000000003902}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000214861Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.147{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0F2D-6216-1104-000000003902}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000214860Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.148{4F8D34B0-0F2D-6216-1104-000000003902}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x8000000000000000285856Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.188{C8EA50B7-F11F-6215-1000-000000003802}364764C:\Windows\system32\svchost.exe{C8EA50B7-0F2D-6216-C304-000000003802}2216C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285855Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.188{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-0F2D-6216-C304-000000003802}2216C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285854Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.188{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-0F2D-6216-C304-000000003802}2216C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285853Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.172{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-0F2D-6216-C304-000000003802}2216C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000285852Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.172{C8EA50B7-F2AD-6215-B800-000000003802}43483224C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+2fc27|C:\Windows\system32\windows.cortana.Desktop.dll+2fb6b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd
10341000x8000000000000000285851Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.172{C8EA50B7-F2AD-6215-B800-000000003802}43483224C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+2fb01|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd
10341000x8000000000000000285850Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.172{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-0F2D-6216-C304-000000003802}2216C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000285849Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.172{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-0F2D-6216-C304-000000003802}2216C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366d9|c:\windows\system32\rpcss.dll+3bec2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285848Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.172{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285847Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.172{C8EA50B7-F2AD-6215-B800-000000003802}43483224C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+2fc27|C:\Windows\system32\windows.cortana.Desktop.dll+2fb6b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd
10341000x8000000000000000285846Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.172{C8EA50B7-F2AD-6215-B800-000000003802}43483224C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+2fb01|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd
10341000x8000000000000000285845Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.172{C8EA50B7-F2AD-6215-B800-000000003802}43483224C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+2fc27|C:\Windows\system32\windows.cortana.Desktop.dll+2fb6b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd
10341000x8000000000000000285844Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.172{C8EA50B7-F2AD-6215-B800-000000003802}43483224C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+2fb01|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd
10341000x8000000000000000285843Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.156{C8EA50B7-F2AD-6215-B800-000000003802}43484048C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\System32\windows.storage.dll+b7e0d|C:\Windows\System32\windows.storage.dll+ba4f0|C:\Windows\System32\windows.storage.dll+ebba4|C:\Windows\System32\windows.storage.dll+e929b|C:\Windows\system32\windows.cortana.onecore.dll+1717e|C:\Windows\system32\windows.cortana.onecore.dll+15f51|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+61d3f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\windows.cortana.onecore.dll+12bc0
10341000x8000000000000000285842Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.156{C8EA50B7-F2AD-6215-B800-000000003802}43483224C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd
10341000x8000000000000000285841Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.156{C8EA50B7-F2AD-6215-B800-000000003802}43483224C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e
10341000x8000000000000000285840Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.156{C8EA50B7-F2AD-6215-B800-000000003802}43484048C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\System32\windows.storage.dll+b7e0d|C:\Windows\System32\windows.storage.dll+1475c6|C:\Windows\System32\windows.storage.dll+148f28|C:\Windows\system32\windows.cortana.onecore.dll+1602f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+3d39b|C:\Windows\System32\combase.dll+3ec72|C:\Windows\System32\combase.dll+63c23|C:\Windows\System32\combase.dll+3e72d|C:\Windows\System32\combase.dll+61f6f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c
10341000x8000000000000000285839Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.156{C8EA50B7-F2AD-6215-B800-000000003802}43484048C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\System32\windows.storage.dll+b7e0d|C:\Windows\System32\windows.storage.dll+ba4f0|C:\Windows\System32\windows.storage.dll+ebba4|C:\Windows\System32\windows.storage.dll+e929b|C:\Windows\system32\windows.cortana.onecore.dll+1717e|C:\Windows\system32\windows.cortana.onecore.dll+15fb7|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+6530c|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+3d39b|C:\Windows\System32\combase.dll+3ec72|C:\Windows\System32\combase.dll+63c23|C:\Windows\System32\combase.dll+3e72d|C:\Windows\System32\combase.dll+61f6f|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+5e426|C:\Windows\System32\combase.dll+5dbda
10341000x8000000000000000285838Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.141{C8EA50B7-F2AD-6215-B800-000000003802}43485380C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd
10341000x8000000000000000285837Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.141{C8EA50B7-F2AD-6215-B800-000000003802}43485380C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e
10341000x8000000000000000285836Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.141{C8EA50B7-F2AD-6215-B800-000000003802}43485720C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd
10341000x8000000000000000285835Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.141{C8EA50B7-F2AD-6215-B800-000000003802}43483224C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd
10341000x8000000000000000285834Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.141{C8EA50B7-F2AD-6215-B800-000000003802}43485720C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e
10341000x8000000000000000285833Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.141{C8EA50B7-F2AD-6215-B800-000000003802}43483224C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e
10341000x8000000000000000285832Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.141{C8EA50B7-F2AD-6215-B800-000000003802}43484432C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd
10341000x8000000000000000285831Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.141{C8EA50B7-F2AD-6215-B800-000000003802}43484432C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e
10341000x8000000000000000285830Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.141{C8EA50B7-F2AD-6215-B800-000000003802}43485380C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd
10341000x8000000000000000285829Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.141{C8EA50B7-F2AD-6215-B800-000000003802}43485380C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e
10341000x8000000000000000285828Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.094{C8EA50B7-F2AD-6215-B800-000000003802}43485380C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd
10341000x8000000000000000285827Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.094{C8EA50B7-F2AD-6215-B800-000000003802}43485380C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd
10341000x8000000000000000285826Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.063{C8EA50B7-F2AD-6215-B800-000000003802}43485380C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd
10341000x8000000000000000285825Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.063{C8EA50B7-F2AD-6215-B800-000000003802}43485380C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd
10341000x8000000000000000285824Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.057{C8EA50B7-F2AD-6215-B800-000000003802}43485380C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd
10341000x8000000000000000285823Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:45.057{C8EA50B7-F2AD-6215-B800-000000003802}43485380C:\Windows\System32\RuntimeBroker.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+621bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae95a|C:\Windows\System32\combase.dll+a571d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65313|C:\Windows\System32\combase.dll+64fc2|C:\Windows\System32\combase.dll+638d8|C:\Windows\System32\combase.dll+6165d|C:\Windows\System32\combase.dll+60d2f|C:\Windows\System32\combase.dll+7c239|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd
23542300x8000000000000000214892Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:46.617{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0025CE4272960B53FA22435D833DDFCA,SHA256=D0C059A818A67FCE3B92F1F66F07A43C2DFF1EE75695AB1ADE5154DBBAA462CF,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285883Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:46.891{C8EA50B7-0F2D-6216-C404-000000003802}1164ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\YKXF6S3A\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285882Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:46.328{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BEC33A10563DE0621C826F647624712,SHA256=1F555499DFC2264D742F868E159D67472C41C83C01DFBA6AD7561A0458A53A5C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214891Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:46.195{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED80BABF7349630E22B960E0D8B86F69,SHA256=B0C69DFFC91C5BADE442EA2F1770804291E163B82657E8D5F5EF3546403B0939,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214890Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:46.195{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8F045894E3A428315C033123E55154A,SHA256=6935A14E6DA5337513D42A83BE8427A83FB70BD08AD19B5EA0E7433BC8E39FAA,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000214921Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.961{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0F2F-6216-1404-000000003902}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214920Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.961{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214919Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.961{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214918Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.961{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214917Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.961{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214916Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.961{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214915Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.961{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214914Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.961{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214913Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.961{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214912Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.961{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214911Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.961{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-0F2F-6216-1404-000000003902}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000214910Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.961{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0F2F-6216-1404-000000003902}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000214909Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.962{4F8D34B0-0F2F-6216-1404-000000003902}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000214908Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.774{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4D288AB5DDEF9162AD57C4D75463BB6,SHA256=EC85C43E5DE7C69AF336FE1F2900E0D9F0C0BBAA6483C2A69078E8AF25897A88,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285884Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:47.331{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86919392A611EF84CA4B59C84DA2E361,SHA256=ECD413DF86BC643BD4F1FC70C05ED319CC3B17B114C2B92FDCBBB05088DD422E,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000214907Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.743{4F8D34B0-0F2F-6216-1304-000000003902}12402052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
354300x8000000000000000214906Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:45.197{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51221-false10.0.1.12-8089-
10341000x8000000000000000214905Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.461{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0F2F-6216-1304-000000003902}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214904Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.461{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214903Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.461{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214902Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.461{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214901Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.461{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214900Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.461{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214899Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.461{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214898Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.461{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214897Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.461{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214896Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.461{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214895Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.461{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-0F2F-6216-1304-000000003902}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000214894Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.461{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0F2F-6216-1304-000000003902}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000214893Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:47.462{4F8D34B0-0F2F-6216-1304-000000003902}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000214924Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:48.868{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=550FA2371948E23699F90E6857C80097,SHA256=2C3743227F06570F2BB66DE86A2E8725961ECB0B291702260A46F1E51CD28724,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285890Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:48.344{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C03F30BE37534A245AD3BEA943171807,SHA256=C22A072120F3294F5721AC8A777AE2182BA9104287A990EB9C768392DC1C3B2A,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214923Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:46.634{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51222-false10.0.1.12-8000-
23542300x8000000000000000214922Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:48.571{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED80BABF7349630E22B960E0D8B86F69,SHA256=B0C69DFFC91C5BADE442EA2F1770804291E163B82657E8D5F5EF3546403B0939,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285889Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:48.328{C8EA50B7-F2AD-6215-BB00-000000003802}4488ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\UFGN8YJ3\views[1]MD5=BEE1758A485085BB8A121EB74BA7E96F,SHA256=EDCAD5B1CE8A304B70B8C9EA57D4AEAB740D979FFA59243B943011CB1BA4D57E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285888Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:48.328{C8EA50B7-0F2D-6216-C404-000000003802}1164ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\YKXF6S3A\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285887Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:48.250{C8EA50B7-F2AD-6215-BB00-000000003802}4488ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\YKXF6S3A\views[1]MD5=A726593A8261930E4786375106FC6BFE,SHA256=E6BFDFBB9A0649EA9D38DE4255C355C581097E6A1035A54943260B22AD45F172,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285886Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:48.250{C8EA50B7-0F2D-6216-C404-000000003802}1164ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\F8NJDPEL\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285885Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:48.234{C8EA50B7-0F2D-6216-C404-000000003802}1164ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\UFGN8YJ3\views[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285891Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:49.359{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13E0601EB51C7B4FE6244C7D375DEA2C,SHA256=3921DF488890D23E5ACD5908E1F0035BAFF9BE162D3A411CFBF52174D2D26283,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000214951Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.836{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0F31-6216-1604-000000003902}1176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214950Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.836{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214949Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.836{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214948Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.836{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214947Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.836{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214946Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.836{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214945Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.836{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214944Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.836{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214943Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.836{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214942Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.836{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214941Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.836{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0F31-6216-1604-000000003902}1176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000214940Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.836{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0F31-6216-1604-000000003902}1176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000214939Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.837{4F8D34B0-0F31-6216-1604-000000003902}1176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x8000000000000000214938Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.664{4F8D34B0-0F31-6216-1504-000000003902}28923168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214937Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.321{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0F31-6216-1504-000000003902}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214936Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.321{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214935Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.321{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214934Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.321{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214933Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.321{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214932Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.321{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214931Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.321{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214930Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.321{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214929Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.321{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214928Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.321{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214927Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.321{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-0F31-6216-1504-000000003902}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000214926Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.321{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0F31-6216-1504-000000003902}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000214925Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:49.322{4F8D34B0-0F31-6216-1504-000000003902}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000214954Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:50.336{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DBFF022413BA79F018B233BFFB863B9,SHA256=CF865792E70FFB8333F547A3C1D48D5145BB3F54C5E6D752652FB9302A2D597C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214953Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:50.164{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DECA7F68847224F38A3145AA61470312,SHA256=B6085357AE3E903C1FB2015DD619AC1FADD839AA45BD48C1689C325213E0B9C7,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000214952Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:50.086{4F8D34B0-0F31-6216-1604-000000003902}1176696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285902Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:50.781{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c
10341000x8000000000000000285901Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:50.781{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c
10341000x8000000000000000285900Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:50.781{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c
10341000x8000000000000000285899Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:50.781{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c
10341000x8000000000000000285898Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:50.781{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c
10341000x8000000000000000285897Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:50.781{C8EA50B7-F2AD-6215-B900-000000003802}44365280C:\Windows\system32\sihost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285896Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:50.609{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c
10341000x8000000000000000285895Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:50.609{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C100-000000003802}5080C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c
10341000x8000000000000000285894Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:50.609{C8EA50B7-F11F-6215-0C00-000000003802}8282732C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c
354300x8000000000000000285893Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:48.694{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53285-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000285892Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:50.375{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=662862C3662B4D5CC8167868BB10E9EE,SHA256=CF5FFB9BC176FD99C23D50D087B43A66D0F5A34709A0BD7D5E229B34E5F855BA,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000214968Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:51.493{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0F33-6216-1704-000000003902}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214967Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:51.493{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214966Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:51.493{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214965Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:51.493{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214964Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:51.493{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214963Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:51.493{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214962Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:51.493{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214961Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:51.493{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214960Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:51.493{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214959Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:51.493{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000214958Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:51.493{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0F33-6216-1704-000000003902}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000214957Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:51.493{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0F33-6216-1704-000000003902}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000214956Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:51.493{4F8D34B0-0F33-6216-1704-000000003902}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000214955Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:51.321{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52E9F349F5266285EE9CB8454CF613E5,SHA256=37F229FA6FC11CD671F222156B92E9AA5670A5D47174D620D796739BA1D72801,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285903Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:51.406{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1099A6A74EC84DDCEB3BE7AC681159F,SHA256=6A7E1806281657B47637FA8D3FD3520C25CDCCC2F4923D59471C3704D65DBBBE,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214970Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:52.508{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BD5EDD0C4EDEBD3699B569DB56C12A1,SHA256=D7C3966ED3AB075A7B56E979FA67C7F069E3883E2BA813F259D7F837B1C9B46E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214969Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:52.336{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55FFA3A7DF0A9101B3052010FB497174,SHA256=D183EB37D68667FBA122A2C9256B47B1C2D126CE0FA500C1DE0351F1A2674A4D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285904Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:52.469{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB25AECB18266EF4E6E8E2BE286A6D80,SHA256=88746DAB076AF094A2184BC5293EC98651F10CAE5BC37B155E88D371FED7EF8D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214971Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:53.399{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E935A4532DCFC9CC604FFA5AAE82D0D2,SHA256=104CF5962EDDCF3C9A211F222BE2F16A84BC1548353EFCA0AA797E9730796044,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285905Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:53.500{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B08DE5FE325486F00798F2BB6B85B746,SHA256=894DD0030A6D309BAF1303D2A82020709AB2488A3E0E14243294B34DF70D9126,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285906Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:54.531{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD1C7C8FC651BDF134DD32656AB956FE,SHA256=8CD7926EB5A5B007B9CCA3964E34BE370230FE43B86B34241BD1444074F78260,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214973Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:51.665{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51223-false10.0.1.12-8000-
23542300x8000000000000000214972Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:54.430{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCDEDBEF2846D3B4352E520828D03D07,SHA256=344F6EA9520B7B19AE2CDB2ACFD72006F2AFEECF906FFE01698EA0778AE101FF,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214974Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:55.446{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAC6BC0EBEF6819CE377FBF719B89F42,SHA256=8583B9142B2F171EE1A3925A6C41CC23A6B9617E3BC5AE9C3BE2AED51F760769,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285907Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:55.563{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4B22B1E5532EE71F41D6D5A4D4F6C1D,SHA256=C3A8B94C0A6CA1B62B342BCF848EC33B3DF8E2A833CC83F07034232E0ADD3A79,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214975Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:56.446{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0785C30B84A06682C6CAEFEED8E471D2,SHA256=E307ABE935E7DD09231205B46515DF0897CA6B808EAA565871A873705E2736DD,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285909Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:54.569{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53286-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000285908Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:56.578{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64DC57F58D8DA16578A1805D3448A5F3,SHA256=FEA01A3CA3AFEE974F25149904FE21FB12EC479B672D06FFD181B8E1C4A0EFB5,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214976Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:57.664{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52CD0E0284076679FF5C60F5F677A2B4,SHA256=D28FFC51E59AFE0EA54D900493069425C4BA82CC889384343201077CB16716B3,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285910Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:57.594{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=736812D06709E51622868BC42878F34D,SHA256=67652C4685D01077ECA83D37C8247CE18912A1E44D805761EC35679170635743,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214977Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:58.821{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5D6B5CAE36239451664553B0E1FF50F,SHA256=A756F1F4BDC4B419326FD9DFAF18D3D5DD402D92F327CA3E10E7DAC19AAFA5C7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285911Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:58.688{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64E9252967C5478CFC30BBB2515566FC,SHA256=B7FC50145FD4C493E16C8652CA92E8E0FFF3484F826F486B01D2E93BE0DB4191,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214978Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:59.899{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB8D8C867AEAEEF17F0DA6B2AD5A2A52,SHA256=DDECAC3CF0018AB19BFAB178426EAEEEE0939EE258AAE2798CB2F122625378D4,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285912Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:40:59.719{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DD44713263ADDB032D5CB524047DAE2,SHA256=75631082DA8234019F2CF5648FAA27EC25735692E1757A0021A5FF57FD50641F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285913Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:00.734{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6A727212B3F3ADB411ACA9C4972048F,SHA256=B4AE351BCA0B3C930F93FE7F3E3CA507AD20D36D6A1D9BC01156FA0410F97B34,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214979Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:40:57.650{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51224-false10.0.1.12-8000-
23542300x8000000000000000285915Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:01.829{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D017B40B3DABB5519EDCE8DDBBA1DD06,SHA256=A0D2C88CDD0E5A3D23C7F248767C8459730A300097FB716BB536AA16E9676FDA,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214980Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:01.008{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20F3846CDC8B6D1851237144D3DF9591,SHA256=0946455D57C44A6B3C7E7653DD646341B333684D1A42A411E376CB377A8A8EA9,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285914Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:01.708{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-124MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285936Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:02.969{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0F3E-6216-C604-000000003802}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285935Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:02.969{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285934Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:02.969{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285933Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:02.969{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285932Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:02.969{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285931Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:02.969{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0F3E-6216-C604-000000003802}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000285930Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:02.969{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0F3E-6216-C604-000000003802}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000285929Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:02.782{C8EA50B7-0F3E-6216-C604-000000003802}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000285928Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:02.922{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4CBE4520BE5F2D88F70607BBD5CC2DC6,SHA256=363E0370CE1BB74A61FBED727A3269EF10F791521EB75ED5CAC3D29F1C3F5090,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285927Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:02.922{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D1A7E595B563C5B8CF5A58902175106,SHA256=0851804D06BE44980011E4FE0848428797F52AE857986850A7B7F6B4E32FB942,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285926Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:02.875{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49934ED88F6AC533F1B700BE5D15DCDA,SHA256=68B9A566C5316D5CA3EC010FFDC06A05AEF841EEFCD4FC6615A92BE4526CC9F0,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214981Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:02.227{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7E1B43CCC1466663560534645079503,SHA256=9545268A9B9190A727C35C97A81954DFDF879197F94180E6C71C58028A704353,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285925Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:02.721{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-125MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285924Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:02.298{C8EA50B7-0F3D-6216-C504-000000003802}57404472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285923Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:02.048{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285922Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:02.048{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0F3D-6216-C504-000000003802}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285921Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:02.048{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285920Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:02.048{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285919Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:02.048{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285918Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:02.048{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-0F3D-6216-C504-000000003802}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000285917Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:02.048{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0F3D-6216-C504-000000003802}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000285916Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:01.893{C8EA50B7-0F3D-6216-C504-000000003802}5740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000285938Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:03.880{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=678D76BFE786FE9AD591AE5F63EFE864,SHA256=F12040073DC65CA79FAB782243D9FD1490C5CAE978A48C1A94E0AB094EAF0808,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214982Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:03.227{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30AB77897412A39FC58960A6ED852EE6,SHA256=E45128E8303E45A9C0114A6B425724D30B9DE9E147A66F3222F768777440B10F,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285937Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:00.553{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53287-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000285948Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:04.927{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C209F3B331123101344EB214CE147B9,SHA256=61885F462FB8931C8B5F21941FF51387AD67C23FDF2112A4CCBAAD37424D4993,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214983Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:04.461{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=221601D5B0FE1E4BBAE69A1521642A02,SHA256=8D252532BCF8A460FF8D42700DF565A83EB37477A6917FD9F7E8DCDD7731C14B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285947Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:04.661{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4CBE4520BE5F2D88F70607BBD5CC2DC6,SHA256=363E0370CE1BB74A61FBED727A3269EF10F791521EB75ED5CAC3D29F1C3F5090,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285946Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:04.317{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0F40-6216-C704-000000003802}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285945Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:04.317{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285944Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:04.317{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285943Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:04.317{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-0F40-6216-C704-000000003802}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000285942Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:04.317{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285941Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:04.317{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285940Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:04.317{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0F40-6216-C704-000000003802}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000285939Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:04.162{C8EA50B7-0F40-6216-C704-000000003802}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000285951Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:05.989{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=284F8708A822A0B739833C82B39631EB,SHA256=5B35019D25A4FECED25284C7F8E3406986892346A1B5B3B160F84C6E8B4855AF,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214984Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:05.571{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4594E659ACB2BABBF38EC0218576B1A,SHA256=28DEBB0F24D8989491410F8381BABBC223D49709FC7FF5BA58BCF6DD9E89D6FF,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285950Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:03.136{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53288-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap
354300x8000000000000000285949Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:03.136{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53288-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap
23542300x8000000000000000214986Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:06.618{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF7DAE77213C76607CE33686060DA09C,SHA256=459C95A2E8BAB7E738ED7C9C52F7F76758D457A1DC49292F8BCE6B45ED0BCFDB,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214985Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:03.540{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51225-false10.0.1.12-8000-
23542300x8000000000000000214987Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:07.836{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE59E9E82BCAB209AB7BFDB5C83530B3,SHA256=1941E4D18930B52D672CB592D7224C7C345C8E3E6D1E78F1CD81402A25F54A2A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285952Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:07.020{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18AF70D9341BF36718577AC97425D1FB,SHA256=828D57490AF497F307A881DCE0ECEEE79F20E0AC2B8ABAAECCFF51A8C86B2515,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214988Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:08.836{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35122A1BD202B16DBB713FEF0E00D31C,SHA256=22F1F1CF4CB1FE7EECB388AB02E03491C5BB32E07C98B5CE0106C5E76577EAC0,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285954Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:05.668{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53289-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000285953Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:08.052{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08399302B338332D90B95797983BAA9F,SHA256=EF25435F0EC90A0EF30A074C3B9C11F2FDA2DECCA95A58E14BB2B2A21AFEE541,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285955Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:09.067{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CF4CEB41EEF03666B9D675EA6BAE84A,SHA256=438ABC29CB0AB25310E659F26D77BDC707DCCE0B0A54064250F6D05AA1BE612C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214989Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:10.071{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8ECC7F2EBC8F72AE13D0D7359A39A1E,SHA256=345D9FC28E5ECD9A93C517E8E52F60C622B3165AFDD5D2E335D64014FBEE7468,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285956Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:10.098{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0F24FC566B37CEF64E38E528B96B678,SHA256=35393397E74DC6F999FBAEC0CF5172D0E525AA484A461AEF5152E118C61FC30F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285957Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:11.114{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DED35C2BAF8325F635673CE73B5F144A,SHA256=D9371BAEF2036E29A75BF077D1165139CF0EF0664F454E139CA4B548D9E4230D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214990Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:11.117{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAA96471D7CE3C64D9F05CF8C1C212C9,SHA256=CAFABEE41EDB3F5FD4AD4D583134D13B380B2EB7E63445352DC326241FBB1B65,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285958Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:12.145{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59FAE9F0344F2A5F060B496B7B946912,SHA256=D4C73B4F1FB916EEC953D70342561F6084893B2617578507C6D431E1CFD8211D,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214992Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:09.606{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51226-false10.0.1.12-8000-
23542300x8000000000000000214991Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:12.133{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50D09B80641B72E1432B1A0AEC8C496D,SHA256=B5DD1C545BB6441825A016513A3D600FB3B611B7BDE8F0C91B19056C3924AC88,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214993Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:13.149{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8029AFE40923DB7004C41D3ECE183D0,SHA256=BDEEB5B5691A6934F5DB88798FDD883DE4CB0FE221001CF962A35292AFCF166D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285959Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:13.145{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00C76E74FF16561664CF3C7B2023D71D,SHA256=70D557E5A615CA46C3AB94EF5B25522EFBA781D1271ADF4E6D84EC234095F6EC,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214994Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:14.164{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BD86D0AA3BE1E7134CFAC3A78109963,SHA256=43A9F47969780BBF844B999F557B03C9C593991E2D416A4AF003026070380E7A,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285961Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:11.574{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53290-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000285960Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:14.161{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8AC05C16BF664F06ADD6E79409D0C86,SHA256=20E86D2E6CEBEFF4FB89718BCCCC5834A964F9627BB539C83A499BD0C68674CB,IMPHASH=00000000000000000000000000000000falsetrue
11241100x8000000000000000285965Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1037,T14842022-02-23 10:41:15.630{C8EA50B7-0F2D-6216-C404-000000003802}1164C:\Windows\system32\mmc.exeC:\Windows\System32\GroupPolicy\Machine\Scripts\Shutdown2022-02-23 10:41:15.630
11241100x8000000000000000285964Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1037,T14842022-02-23 10:41:15.630{C8EA50B7-0F2D-6216-C404-000000003802}1164C:\Windows\system32\mmc.exeC:\Windows\System32\GroupPolicy\Machine\Scripts\Startup2022-02-23 10:41:15.630
11241100x8000000000000000285963Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.localT1037,T14842022-02-23 10:41:15.630{C8EA50B7-0F2D-6216-C404-000000003802}1164C:\Windows\system32\mmc.exeC:\Windows\System32\GroupPolicy\Machine\Scripts2022-02-23 10:41:15.630
23542300x8000000000000000285962Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:15.177{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9823EECB5DC65DF17101C6E96B14D3C8,SHA256=949D0195DA06B8B99CC674A7516A1B0442379D272E3825827D455F9A31182E1C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214995Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:15.164{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=079B5874C207A4EAA64FDF2FD7062E81,SHA256=980DDA340AD643AE424ED169534942E9702E277BEBAC8420C55DD02669987181,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285966Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:16.208{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2AFE2EFAB86EDBCBA793B2FD9A9D753,SHA256=B84E99A6CBD9177818267B35A64CC68B9594B8B54CF94C946E572113A9005675,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214996Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:16.211{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA53C703B6DD822D34CC68DEAF4D9DBD,SHA256=4DEDBD9D2A68C812547E244367AE4C366B3587F66082E70901F7DEFB19F9E4A5,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285967Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:17.348{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=757160E4503D502B5E56A75B1DDDD2FC,SHA256=CA7DCF69D7A8B0B4B744DB5D4AA1BB86755B86459F5BDA6BCCFD6FCD23769617,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000214998Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:14.681{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51227-false10.0.1.12-8000-
23542300x8000000000000000214997Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:17.289{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F716437168AF757971C4CCCB78BE5B62,SHA256=CA08A5F5F2A74924FC4226D21C2FA56B680B4B35705F67E22EA95A7E0BB70059,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000285968Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:18.395{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEDA4C1983CD16F3F281FE97FFE1F6FD,SHA256=1A4ED887ACDACCC50C991946270FB4DCA4BDDAB234558DFE33F62CCCF6EC699E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000214999Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:18.321{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C664323E2D7665DED7639871A591E26B,SHA256=5BEF80CCD5B513FDEFA7A11877605C5FCFD329236F288CC8949FD3C24A6B2531,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000215000Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:19.336{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15A7D2EBB2510F70E6D3053322A62F34,SHA256=2A3357F5D4D31746B2FE4ED0A3880DF7F51DB88F7725CA5BD10E54A33249B247,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285987Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:19.989{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0F4F-6216-C904-000000003802}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285986Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:19.989{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285985Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:19.989{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285984Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:19.989{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285983Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:19.989{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285982Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:19.989{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-0F4F-6216-C904-000000003802}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000285981Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:19.989{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0F4F-6216-C904-000000003802}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000285980Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:19.990{C8EA50B7-0F4F-6216-C904-000000003802}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x8000000000000000285979Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:19.786{C8EA50B7-0F4F-6216-C804-000000003802}13885948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285978Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:19.473{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0F4F-6216-C804-000000003802}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285977Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:19.473{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285976Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:19.473{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285975Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:19.473{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285974Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:19.473{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285973Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:19.473{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0F4F-6216-C804-000000003802}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000285972Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:19.473{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0F4F-6216-C804-000000003802}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000285971Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:19.474{C8EA50B7-0F4F-6216-C804-000000003802}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000285970Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:19.427{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=155D610ED4F430ADFEC83A3AA99CFBBA,SHA256=BC76F41B8997B991D2097B0D598F7BD52E02A243EB8509731EFF6B5591FD96B5,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000285969Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:16.669{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53291-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000215001Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:20.367{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BBE9C2A7D566C987C58571B52713E38,SHA256=D3EAD286C111436AF4937E0BB32F43AD837A8D98340722A1A09B68E3AB7055D8,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000286010Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.989{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0F50-6216-CB04-000000003802}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000286009Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.989{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000286008Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.989{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000286007Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.989{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000286006Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.989{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000286005Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.989{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0F50-6216-CB04-000000003802}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000286004Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.989{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0F50-6216-CB04-000000003802}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000286003Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.990{C8EA50B7-0F50-6216-CB04-000000003802}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x8000000000000000286002Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.739{C8EA50B7-0F50-6216-CA04-000000003802}26524268C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000286001Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.567{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F9031FC8D1D5A3A11CE7C818619E65C,SHA256=5F08ED7E882994FC790483846D2F4F0A83B2D855FFE69B1E91B49A246871FB8A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000286000Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.536{C8EA50B7-0F2D-6216-C404-000000003802}1164ATTACKRANGE\AdministratorC:\Windows\system32\mmc.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\SchCache\win-dc-tcontreras-attack-range-173.attackrange.local.schMD5=3B3531A335298119AD90D9B9BEB810AF,SHA256=77996876B4230A7DFCE13A77C0AA2E3B969AFA2A4562FD8583B6DDE3742EB2AD,IMPHASH=00000000000000000000000000000000falsetrue
734700x8000000000000000285999Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.505{C8EA50B7-0F2D-6216-C404-000000003802}1164C:\Windows\System32\mmc.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid
10341000x8000000000000000285998Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.489{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0F50-6216-CA04-000000003802}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000285997Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.489{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB8C2E12FC1EA500817255F8D46EBA3D,SHA256=02EDE26E4508D15B789D32103E6A3423F973EF1EC55EAF695D74CA0F9CECF936,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285996Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.489{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285995Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.489{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000285994Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.489{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA32A318F037709C904AA7046ED21982,SHA256=EA6547282DF53309F804817F74694B42BB88EF83159D7F9C0D76D45FD1C326A2,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000285993Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.489{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-0F50-6216-CA04-000000003802}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000285992Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.489{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285991Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.489{C8EA50B7-F11F-6215-0C00-000000003802}8286016C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000285990Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.489{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0F50-6216-CA04-000000003802}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000285989Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.492{C8EA50B7-0F50-6216-CA04-000000003802}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x8000000000000000285988Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:20.302{C8EA50B7-0F4F-6216-C904-000000003802}5788224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000215002Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:21.602{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=919C426E9ABF40B713A01997BC3D927B,SHA256=4FB23A0872178669D7CB5F60C43376C25780FCE414611238D2AC611F1692B90F,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000286014Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:19.971{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53292-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap
354300x8000000000000000286013Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:19.971{C8EA50B7-0F2D-6216-C404-000000003802}1164C:\Windows\System32\mmc.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53292-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap
23542300x8000000000000000286012Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:21.520{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9287D73AC9900A06D2CC391E4EA463A4,SHA256=B4381662983494C6DA4F6E24981122F38AAEC11244B74DA89525A0A15DE32A59,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000286011Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:21.505{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB8C2E12FC1EA500817255F8D46EBA3D,SHA256=02EDE26E4508D15B789D32103E6A3423F973EF1EC55EAF695D74CA0F9CECF936,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000215004Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:20.587{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51228-false10.0.1.12-8000-
23542300x8000000000000000215003Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:22.617{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF0DE2276842ED0AFB417B66CA97B3D1,SHA256=08191DA0B5CC28ADA7D1B220E50FD89EDDBDCF96F36BECC850DE2ABE33B7D9AE,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000286016Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:22.536{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10E31DDAAE09E9745A5C19D629CD9CA5,SHA256=1E5FDD422D5C3E742657E18FE3ABEC8D872239D7C720871594099B1891419597,IMPHASH=00000000000000000000000000000000falsetrue
22542200x8000000000000000286015Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:19.988{C8EA50B7-0F2D-6216-C404-000000003802}1164win-dc-tcontreras-attack-range-173.attackrange.local0fe80::dc9d:9662:799b:139c;::ffff:10.0.1.14;C:\Windows\System32\mmc.exe
23542300x8000000000000000286049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.567{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=897F2396A484C034BB434A69F2B0AEDB,SHA256=12855AB6279EB3A71A3ECAAEE0D739C496F02FB39BBC4450BC0DC3E114E0D8C3,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000215005Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:23.758{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A92B283F8CBA330DC3B66515404BFF6,SHA256=A4249544F2FB84C1FC5951C0EDA8B81AB4E5DA7CA7F11369AA666F52FEECF8D0,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000286048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.208{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF5414A5A5288221CD80E3AD00163692,SHA256=690ACB681524725906D8F7B40585A10E01BF3748DECA42949AFEE6E748EACE7D,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000286047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.067{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+535ce|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68d3c|C:\Windows\System32\ieframe.dll+68be4|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11|C:\Windows\System32\mshtml.dll+112698|C:\Windows\System32\mshtml.dll+113e1c|C:\Windows\System32\mshtml.dll+113777
10341000x8000000000000000286046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.067{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+53538|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68d3c|C:\Windows\System32\ieframe.dll+68be4|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11|C:\Windows\System32\mshtml.dll+112698|C:\Windows\System32\mshtml.dll+113e1c|C:\Windows\System32\mshtml.dll+113777
10341000x8000000000000000286045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.067{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6482|C:\Windows\System32\SHCORE.DLL+617d|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5351a|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68d3c|C:\Windows\System32\ieframe.dll+68be4|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158
10341000x8000000000000000286044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.067{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6154|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5351a|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68d3c|C:\Windows\System32\ieframe.dll+68be4|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11
10341000x8000000000000000286043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.067{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+53538|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68cdc|C:\Windows\System32\ieframe.dll+68be4|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11|C:\Windows\System32\mshtml.dll+112698|C:\Windows\System32\mshtml.dll+113e1c|C:\Windows\System32\mshtml.dll+113777
10341000x8000000000000000286042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.067{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+535ce|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68cdc|C:\Windows\System32\ieframe.dll+68be4|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11|C:\Windows\System32\mshtml.dll+112698|C:\Windows\System32\mshtml.dll+113e1c|C:\Windows\System32\mshtml.dll+113777
10341000x8000000000000000286041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.067{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6482|C:\Windows\System32\SHCORE.DLL+617d|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5351a|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68cdc|C:\Windows\System32\ieframe.dll+68be4|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158
10341000x8000000000000000286040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.067{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6154|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5351a|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68cdc|C:\Windows\System32\ieframe.dll+68be4|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11
10341000x8000000000000000286039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.067{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+535ce|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68bd5|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11|C:\Windows\System32\mshtml.dll+112698|C:\Windows\System32\mshtml.dll+113e1c|C:\Windows\System32\mshtml.dll+113777|C:\Windows\System32\mshtml.dll+1176c1
10341000x8000000000000000286038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.067{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+53538|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68bd5|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11|C:\Windows\System32\mshtml.dll+112698|C:\Windows\System32\mshtml.dll+113e1c|C:\Windows\System32\mshtml.dll+113777|C:\Windows\System32\mshtml.dll+1176c1
10341000x8000000000000000286037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.067{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6482|C:\Windows\System32\SHCORE.DLL+617d|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5351a|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68bd5|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11
10341000x8000000000000000286036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.067{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6154|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5351a|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68bd5|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11|C:\Windows\System32\mshtml.dll+112698
10341000x8000000000000000286035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.067{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+535ce|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68b9a|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11|C:\Windows\System32\mshtml.dll+112698|C:\Windows\System32\mshtml.dll+113e1c|C:\Windows\System32\mshtml.dll+113777|C:\Windows\System32\mshtml.dll+1176c1
10341000x8000000000000000286034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.067{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+53538|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68b9a|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11|C:\Windows\System32\mshtml.dll+112698|C:\Windows\System32\mshtml.dll+113e1c|C:\Windows\System32\mshtml.dll+113777|C:\Windows\System32\mshtml.dll+1176c1
10341000x8000000000000000286033Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.067{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6482|C:\Windows\System32\SHCORE.DLL+617d|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5351a|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68b9a|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11
10341000x8000000000000000286032Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.067{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6154|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5351a|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68b9a|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11|C:\Windows\System32\mshtml.dll+112698
10341000x8000000000000000286031Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.067{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+535ce|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68b5f|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11|C:\Windows\System32\mshtml.dll+112698|C:\Windows\System32\mshtml.dll+113e1c|C:\Windows\System32\mshtml.dll+113777|C:\Windows\System32\mshtml.dll+1176c1
10341000x8000000000000000286030Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.067{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+53538|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68b5f|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11|C:\Windows\System32\mshtml.dll+112698|C:\Windows\System32\mshtml.dll+113e1c|C:\Windows\System32\mshtml.dll+113777|C:\Windows\System32\mshtml.dll+1176c1
10341000x8000000000000000286029Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.052{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6482|C:\Windows\System32\SHCORE.DLL+617d|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5351a|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68b5f|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11
10341000x8000000000000000286028Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.052{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6154|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5351a|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+68b5f|C:\Windows\System32\ieframe.dll+68827|C:\Windows\System32\ieframe.dll+6874c|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11|C:\Windows\System32\mshtml.dll+112698
10341000x8000000000000000286027Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.052{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+535ce|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+13f663|C:\Windows\System32\ieframe.dll+13f566|C:\Windows\System32\ieframe.dll+6847f|C:\Windows\System32\ieframe.dll+68723|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11|C:\Windows\System32\mshtml.dll+112698|C:\Windows\System32\mshtml.dll+113e1c|C:\Windows\System32\mshtml.dll+113777
10341000x8000000000000000286026Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.052{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+53538|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+13f663|C:\Windows\System32\ieframe.dll+13f566|C:\Windows\System32\ieframe.dll+6847f|C:\Windows\System32\ieframe.dll+68723|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11|C:\Windows\System32\mshtml.dll+112698|C:\Windows\System32\mshtml.dll+113e1c|C:\Windows\System32\mshtml.dll+113777
10341000x8000000000000000286025Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.052{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6482|C:\Windows\System32\SHCORE.DLL+617d|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5351a|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+13f663|C:\Windows\System32\ieframe.dll+13f566|C:\Windows\System32\ieframe.dll+6847f|C:\Windows\System32\ieframe.dll+68723|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158
10341000x8000000000000000286024Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.052{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6154|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5351a|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+13f663|C:\Windows\System32\ieframe.dll+13f566|C:\Windows\System32\ieframe.dll+6847f|C:\Windows\System32\ieframe.dll+68723|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11
10341000x8000000000000000286023Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.052{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+535ce|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+13f663|C:\Windows\System32\ieframe.dll+179fe0|C:\Windows\System32\ieframe.dll+68723|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11|C:\Windows\System32\mshtml.dll+112698|C:\Windows\System32\mshtml.dll+113e1c|C:\Windows\System32\mshtml.dll+113777|C:\Windows\System32\mshtml.dll+1176c1
10341000x8000000000000000286022Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.052{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+1c0e5|C:\Windows\System32\SHELL32.dll+53538|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+13f663|C:\Windows\System32\ieframe.dll+179fe0|C:\Windows\System32\ieframe.dll+68723|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11|C:\Windows\System32\mshtml.dll+112698|C:\Windows\System32\mshtml.dll+113e1c|C:\Windows\System32\mshtml.dll+113777|C:\Windows\System32\mshtml.dll+1176c1
10341000x8000000000000000286021Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.052{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6482|C:\Windows\System32\SHCORE.DLL+617d|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5351a|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+13f663|C:\Windows\System32\ieframe.dll+179fe0|C:\Windows\System32\ieframe.dll+68723|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11
10341000x8000000000000000286020Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.052{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6154|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+5351a|C:\Windows\System32\SHELL32.dll+848f2|C:\Windows\System32\ieframe.dll+13f663|C:\Windows\System32\ieframe.dll+179fe0|C:\Windows\System32\ieframe.dll+68723|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11|C:\Windows\System32\mshtml.dll+112698
10341000x8000000000000000286019Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.052{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6497|C:\Windows\System32\SHCORE.DLL+6387|C:\Windows\System32\SHCORE.DLL+62fd|C:\Windows\System32\SHCORE.DLL+620a|C:\Windows\System32\SHELL32.dll+d15fa|C:\Windows\System32\SHELL32.dll+84bc4|C:\Windows\System32\SHELL32.dll+84818|C:\Windows\System32\ieframe.dll+13f663|C:\Windows\System32\ieframe.dll+179fe0|C:\Windows\System32\ieframe.dll+68723|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11
10341000x8000000000000000286018Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.052{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6482|C:\Windows\System32\SHCORE.DLL+617d|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+d15e8|C:\Windows\System32\SHELL32.dll+84bc4|C:\Windows\System32\SHELL32.dll+84818|C:\Windows\System32\ieframe.dll+13f663|C:\Windows\System32\ieframe.dll+179fe0|C:\Windows\System32\ieframe.dll+68723|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158
10341000x8000000000000000286017Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:23.052{C8EA50B7-0F2D-6216-C404-000000003802}1164580C:\Windows\system32\mmc.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.DLL+64c8|C:\Windows\System32\SHCORE.DLL+6154|C:\Windows\System32\SHCORE.DLL+5e3d|C:\Windows\System32\SHCORE.DLL+5dcf|C:\Windows\System32\SHCORE.DLL+5cd4|C:\Windows\System32\SHELL32.dll+d15e8|C:\Windows\System32\SHELL32.dll+84bc4|C:\Windows\System32\SHELL32.dll+84818|C:\Windows\System32\ieframe.dll+13f663|C:\Windows\System32\ieframe.dll+179fe0|C:\Windows\System32\ieframe.dll+68723|C:\Windows\System32\ieframe.dll+66e25|C:\Windows\System32\ieframe.dll+66b8a|C:\Windows\System32\ieframe.dll+64199|C:\Windows\System32\ieframe.dll+bf744|C:\Windows\System32\ieframe.dll+be283|C:\Windows\System32\ieframe.dll+7418c|C:\Windows\System32\ieframe.dll+7472c|C:\Windows\System32\ieframe.dll+7451d|C:\Windows\System32\ieframe.dll+74437|C:\Windows\System32\mshtml.dll+124158|C:\Windows\System32\mshtml.dll+123a11
23542300x8000000000000000286051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:24.583{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4780A73F9A3ED6CEFE8DE39132D396B3,SHA256=8A18B8FA466D37B2DA0BBE4E8AFEFEA222D736CE443B20458AA1171C7FF589AC,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000215006Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:24.758{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D65A82FF3F6F6A6A63162117F50E266,SHA256=7328ADAE99BD0C7A862839F940A07261A790711C8B98976D4EB4305EFEBB36DE,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000286050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:22.683{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53293-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000215007Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:25.774{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0FC60D32AF5D594FE8DD7E78F8709C5,SHA256=1EE67B3097F443460DC73835C01159A129B20E4696DABE74FA031D9ED5CFCCFA,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000286052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:25.598{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C194020AEF3A7176C9354C8018D98FC4,SHA256=1A0AF8295B2C04EB27579C53F9299A6654088E33AF2B0CCB3403C22AE0AA0FE6,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000215008Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:26.789{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E761B55582EBFA0001619F517E468FA,SHA256=00395B72616C90580049B9E79134D90DF8C3B7C6E9525936B2FFC36D4BC1B8B4,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000286053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:26.630{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9853FBE928C0A33A1E6B0909059F89D0,SHA256=3795C8A8DA919DF1DC1B784BEBC3F1591194D8CF72C6F77E12FA587B92B4F185,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000286054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:27.645{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D9E5379C2B676E95263E84202B16A21,SHA256=E30DB22FBFB89A96DE7D6839A0C5AECC1ACB4D9043CF179FC5F92275C21844EF,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000286055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:28.661{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72AEE14E2F1C5074D2197F5031A07C2C,SHA256=43004C70E84E8BFE1F2A62F4D6950CD368349D9739C8FDB182CEDAD44797D8BE,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000215009Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:28.024{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F909893EF6094E797F6238815BADB208,SHA256=F90E3CEA8A7C2F7756D8798814F4FF0C6113E0322DF9696B3A1BC4B0DAB6A040,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000286056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:29.661{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA3790DD05DA950E92650C2D190AFF8C,SHA256=0FF7BA9A663DBA04FBA2A7E76148AF2577522D969A7BFF833D2857805C39D5C4,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000215011Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:26.587{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51229-false10.0.1.12-8000-
23542300x8000000000000000215010Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:29.039{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22F9816E7EF8AD26F053C705C73BC0F2,SHA256=40843B0F8E0D7A68CA2777034C394F220A262DC9872B97288315F588765BE597,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000286063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:28.620{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53294-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000286062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:30.723{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50984139BD5B0CAC0BB907D502186C98,SHA256=36892738E5471728098A74642A209812EAAA7875F14DFC71AEE69C5DD72B587A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000215013Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:30.242{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1A06FD440F4C55EC3790B0E84335175E,SHA256=CD71DF17A0C5147F47BE989C48B7B94A1960F73D66794FE14C64E75E8A5F1D05,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000215012Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:30.055{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22F81291CE0BB21F366F7236D1682694,SHA256=358A600AC35CA13931DE6AC43F1E99B6EE48DD37DDD3633B03D182800ED17C2A,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000286061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:30.677{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000286060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:30.677{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000286059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:30.677{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000286058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:30.677{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
18141800x8000000000000000286057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-ConnectPipe2022-02-23 10:41:30.583{C8EA50B7-0F2D-6216-C404-000000003802}1164\scerpcC:\Windows\system32\mmc.exe
23542300x8000000000000000286064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:31.771{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=843DE8DE06EE31028CE1A11726D2767A,SHA256=AA2E69C180E7EF02B167BB65425309E9EFD29BAD18BF5AC92F3D6BF88B6448DA,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000215014Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:31.086{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0583DF2A5F5FF0E06F0702164ACBBF25,SHA256=58186E1142163260E20BEF78AA52A2361356554CF3E01EE77F8C7B3923A1B66D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000286065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:32.864{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=188EE53F618EC64B06D00AD46A668BEC,SHA256=DA7A3D89C971810159704415D056068FFA05A2BAAF085357AB746CE4B5FDACAE,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000215015Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:32.180{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C9E1EE39293F949A5B8AF5D4A4B99E0,SHA256=04BA057A83A42F2EE788255ABD80F28F19C284489B2CE5FA3D7510047C90C352,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000286067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:33.880{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA923A333D4B1C176E0D6C2EEAC13A3C,SHA256=2C8C99A98B4276910DE9B1B26F6C6A93380B9BED8E90ED9804FE0D25309B1E3C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000215016Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:33.195{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10A10C7BA875A94B4359FF26DFBE3144,SHA256=1298C721C3DCCA2AE4D0F86B932D27D063022C053F2A51DD19B7ABE52175D1FD,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000286066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:33.302{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D55E60F9BFA2BC9716635C1B551DBDDD,SHA256=27F8FA799CBAD3A7BC80EEB1EED2E063BDC8E950F9F1B9CB1554ECF8FBBAAD45,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000286068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:34.973{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60E01E657C04859EF82A001738F3E5C7,SHA256=9EC851123A4F5177B5C93DCE5B8373550F9EA303CD47F1F85F419F5316C528C8,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000215018Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:34.211{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D83F326C48D85E1ABDC24AE87A6C4170,SHA256=6EC04F1E0D433EC5B7E23C34190831331F94E12B08CAA1A91CB09A5B65FC8814,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000215017Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:31.603{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51230-false10.0.1.12-8000-
23542300x8000000000000000286069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:35.973{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBBE45062903509CD4998B6DCA89AD81,SHA256=1E7284B39F82E49A10A75FF810AF6F9F6DF8C214B0BB38D75502702C3B4F7306,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000215019Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:35.399{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCC8166CA0DBA599B56FEBCD9F815DC9,SHA256=4BA7EE50EF92E69CF89435FA1BF6EDB305E26D357563A330DDE8A3A3DE2D242C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000286071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:36.989{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB5238748A8ECA0155E554AB6B34B738,SHA256=7415836B24483CA193F38C7668A886BD653560D0D77940E6C4E923229BCB5E29,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000215020Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:36.430{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAB0E288007D5F89D78C2863D902052B,SHA256=3E5ACB1119AAE8D7FC86ED82511F6303F19AAA5C0DC79319FAAF3AE2B81551E7,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000286070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:34.636{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53295-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000215021Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:37.524{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F436691BD085A0396A7302EC900F2715,SHA256=EEA014C8E0A72F0AD97CD388AF37B0EE01807F7FB2DF8F99F4BDA88C87426532,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000215022Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:38.539{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=547B70F5BEE131065DA96B72872CBDFD,SHA256=2DD50A6D095773489F5CA7531B6C3675DECB89C574C19E45E4FDEF82FF185574,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000286072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:38.051{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D92F7119CB81832C3F9277A9C9E6A45F,SHA256=D3B9EEC7541ABD77DBBAB60E362E3A473092516BB676B9B72EE836E9666774E2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000215023Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:39.711{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=076474F60A4F8E0C6ACDCB1C768F58C7,SHA256=7A9F79B675A56218B04323EE3179484C78F0143B8FA12F2D1FFC146607E90FDE,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000286074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:39.598{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000286073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:39.114{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CEC77D95C88B487DABE2F83A19829AB,SHA256=9022DA7631AA88EA7D8B8656A714F1A61FCBCE799BC0A2124B6535A486BC19AD,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000215025Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:40.930{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DABAC60F6FF4B3A5E41D36D4EC808E50,SHA256=CCAABF2CF94A8E17DAF19EF50DD46FF6F5C7CD1A7BAB2578DDCE5E36445E6267,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000286075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:40.176{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F5FA66E780808388FFC9F92D8F05A62,SHA256=30267124B869AB9585308411C6A7E8D01B48024A80F2415FA26DCB57E412E0EA,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000215024Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:37.619{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51231-false10.0.1.12-8000-
23542300x8000000000000000215026Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:41.961{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=013EB92530F8F3A8E14C3AE094017EF7,SHA256=EEC9D8CCED6D16DBDC94AFF4AE98BEF99BDAEFC45BE6F06C9A7D85686DCB6E43,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000286076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:41.223{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F0CF8F5820EC7CE01D44715F4780D49,SHA256=1952BEAC22F70725A52D8187188B11134F33093A132E9DE4C270BAE318AD5679,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000215027Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:42.992{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E163A0FD2306E8AB591D1DC6B6CF0CAA,SHA256=4998C0C99A80CC3C92ED89AC0328288D1D2FBB320EF303A91D7FBD1C2811155B,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000286079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:40.636{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53297-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
23542300x8000000000000000286078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:42.255{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47A5B2C16014E8F5ADF5C884E92F2003,SHA256=801D60F8D760E55DA882F45044DB9F50E2C2BC3B576A3853AB75F1E365169F63,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000286077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:39.011{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53296-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089-
23542300x8000000000000000215028Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:43.992{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C699275D26067422AA367A445F8DFCB,SHA256=B02420DDC1A68F9857FBF8CCE7643CF312613A35A25FD297500CCC746EDF6E25,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000286080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:43.302{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=605132C99E8FBD048F0A6E442185EDC8,SHA256=757559EFEADE32EA5AF843B7DB3528C2A4531315C926766E828B7CB47D990CC0,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000286081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:44.317{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5259D538891B01DADCB250B95E9ED3E4,SHA256=D94C05AB4CC66AB5D68F9A3F252865B1A4189409C01720468078E409BF8473DB,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000215029Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:44.544{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-125MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000286082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:45.427{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E1502C690134549A0FEC8B7BEC54CA6,SHA256=E683AF6B6341D6814FE5463BE3565B68AE5B1083F40368990EDC62527908700A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000215059Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.798{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000215058Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.782{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0F69-6216-1904-000000003902}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215057Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.782{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215056Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.782{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215055Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.782{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215054Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.782{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215053Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.782{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215052Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.782{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215051Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.782{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215050Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.782{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215049Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.782{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215048Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.782{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0F69-6216-1904-000000003902}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000215047Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.782{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0F69-6216-1904-000000003902}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000215046Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.783{4F8D34B0-0F69-6216-1904-000000003902}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
354300x8000000000000000215045Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:42.681{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51232-false10.0.1.12-8000-
23542300x8000000000000000215044Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.550{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-126MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000215043Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.159{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0F69-6216-1804-000000003902}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215042Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.159{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215041Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.159{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215040Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.159{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215039Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.159{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215038Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.159{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215037Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.159{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215036Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.159{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215035Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.159{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215034Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.159{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215033Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.159{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0F69-6216-1804-000000003902}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000215032Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.159{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0F69-6216-1804-000000003902}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000215031Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.160{4F8D34B0-0F69-6216-1804-000000003902}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000215030Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.003{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99888CED8EE31935E34FCE06208E8B3F,SHA256=056BDFD7AB7A0972EB8173C9140838223D8CDE4B8CF6462D0E7A8ED19C74FBEB,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000286083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:46.442{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=778A5E088A0D48394D19B1BEAC80C7CB,SHA256=95895E550F66E5542B7FF82964162D399DF7C9B93D2F314D7EFFD7ACF4FFF143,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000215063Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:46.190{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B465BF5966D3A49AC19DDA2C2923277,SHA256=8E4758022214B25D5F7831893135B81BCEC3D7CFF89A03755EC7EA8C7FDF6743,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000215062Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:46.190{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE63D3F28BC1DE7CF2051909F507EC0C,SHA256=928BC53B0185EF61C99E489022005D47434B06532CF88967E9E7679A5D42C277,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000215061Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:46.081{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8AA532A7470E989AF7FC03C666F4E52,SHA256=ED8B266B209BEDDDE95F3FDA7A542AA934FA1506DE0A5774BD1199262A309BD5,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000215060Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:46.002{4F8D34B0-0F69-6216-1904-000000003902}26962832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
23542300x8000000000000000286084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:47.489{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00408AC4490CD7F92DFBBFF4D9DA7E03,SHA256=1DCCB68E31C148E623C6F6C5F0E3A3E21F2054CC45D3BDF5677B8C6B64172C3F,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000215091Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:45.221{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51233-false10.0.1.12-8089-
10341000x8000000000000000215090Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.878{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0F6B-6216-1B04-000000003902}1036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215089Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.878{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215088Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.878{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215087Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.878{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215086Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.878{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215085Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.878{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215084Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.878{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215083Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.878{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215082Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.878{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215081Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.878{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215080Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.878{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0F6B-6216-1B04-000000003902}1036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000215079Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.878{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0F6B-6216-1B04-000000003902}1036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000215078Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.879{4F8D34B0-0F6B-6216-1B04-000000003902}1036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x8000000000000000215077Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.362{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0F6B-6216-1A04-000000003902}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215076Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.362{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215075Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.362{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215074Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.362{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215073Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.362{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215072Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.362{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215071Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.362{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215070Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.362{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215069Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.362{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215068Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.362{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215067Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.362{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0F6B-6216-1A04-000000003902}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000215066Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.362{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0F6B-6216-1A04-000000003902}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000215065Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.363{4F8D34B0-0F6B-6216-1A04-000000003902}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000215064Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:47.097{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CDFCB25FA4474A900E3C8A31D416B67,SHA256=BBA26B039F0A716AC867D99A90300FDB6AF033F65787BFD21ED3413166EA4A75,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000215094Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:48.519{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B465BF5966D3A49AC19DDA2C2923277,SHA256=8E4758022214B25D5F7831893135B81BCEC3D7CFF89A03755EC7EA8C7FDF6743,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000215093Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:48.503{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FA74F03A9D1AA7D51011AC7229FF56F,SHA256=C9D31FF7DB563900B9B002E0F5595BD764005E550A8CAF9F4BE8E7EB4DCD09E5,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000286089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:48.489{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC568AD05BA0E349CA8D161EF4B43262,SHA256=640E42136F9536F393A176F29ED30CEFEEFC5EA9550E02D0590217D6487384CA,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000286088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:48.380{C8EA50B7-F11D-6215-0B00-000000003802}628792C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000286087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:48.304{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F118-6215-0100-000000003802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e
10341000x8000000000000000286086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:48.208{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000286085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:48.192{C8EA50B7-F11D-6215-0B00-000000003802}6281608C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215092Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:48.065{4F8D34B0-0F6B-6216-1B04-000000003902}1036776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
354300x8000000000000000286102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:47.785{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53301-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds
354300x8000000000000000286101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:47.784{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53301-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds
23542300x8000000000000000286100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:49.505{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C28D16F20C37F4C3BBEE9917A2AB2E0,SHA256=0378E00523430844168C5C1588E119DCE434D0618223F87A903B37BA2F81C61F,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000215122Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.815{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0F6D-6216-1D04-000000003902}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215121Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.815{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215120Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.815{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215119Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.815{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215118Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.815{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215117Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.815{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215116Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.815{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215115Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.815{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215114Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.815{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215113Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.815{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215112Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.815{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0F6D-6216-1D04-000000003902}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000215111Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.815{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0F6D-6216-1D04-000000003902}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000215110Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.816{4F8D34B0-0F6D-6216-1D04-000000003902}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x8000000000000000215109Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.675{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0802B844581DC8DF0D4B7B2A1F7B226,SHA256=E94A9F1BAA6CD07BF10B5344262D192D2C62E4E5708535CFD239A24F3C77AB8E,IMPHASH=00000000000000000000000000000000falsetrue
10341000x8000000000000000215108Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.550{4F8D34B0-0F6D-6216-1C04-000000003902}20281216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215107Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.315{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0F6D-6216-1C04-000000003902}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215106Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.315{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215105Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.315{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215104Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.315{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215103Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.315{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215102Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.315{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215101Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.315{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215100Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.315{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215099Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.315{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215098Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.315{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
10341000x8000000000000000215097Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.315{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0F6D-6216-1C04-000000003902}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f
10341000x8000000000000000215096Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.315{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0F6D-6216-1C04-000000003902}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791
154100x8000000000000000215095Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:49.316{4F8D34B0-0F6D-6216-1C04-000000003902}2028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
354300x8000000000000000286099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:47.694{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53300-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap
354300x8000000000000000286098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:47.694{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53300-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap
354300x8000000000000000286097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:47.680{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53299-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local389ldap
354300x8000000000000000286096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:47.680{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53299-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local389ldap
23542300x8000000000000000286095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:49.255{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5611F01D94CF4D8FAB21C6312D3655DC,SHA256=DD7A57145B80E7FEDB692BFF082CEE92B7C5D7017925B20FA7AFE1AD34D50B1D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000286094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:49.239{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18AFC63FDF0F089A398F576388C06F88,SHA256=23F0BBA8DE215678C474659A96434EE97521718D2A3397352964C7826BA4C7AF,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000286093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:49.208{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A5BA00FB08177F57C79A9BDEA53CA0D5,SHA256=504D4297885A77D0066C5CE4E3192E979C86D939AB674E85C090D709D3E157E5,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000286092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:49.208{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=147BF6AED78C90D4E8729782945B89A2,SHA256=4014BD6EA7EC1755A05C5079ABEFA9A3CFDC1FF52AD643FD05FFEF4B5D667E2D,IMPHASH=00000000000000000000000000000000falsetrue
354300x8000000000000000286091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:47.184{C8EA50B7-F11F-6215-1300-000000003802}616C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server
354300x8000000000000000286090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:46.542{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53298-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-
354300x8000000000000000215126Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:48.473{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51234-false10.0.1.12-8000-
23542300x8000000000000000215125Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:41:50.690{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EF70B5A18C47D437CEC17CFCD536854,SHA256=D6090F174095FEFA5DDB6F7C7B57B98D883256B04F1B191CD3627B7A6FA45978,IMPHASH=00000000000000000000000000000000falsetrue
23542300x8000000000000000286103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:41:50.520{