23542300x8000000000000000284379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:00.210{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6CC858A7D8E0852740AEC48263E2578,SHA256=67B59EA3130E3FCE6172E40B845B5C4F97B156C14C4D742189F453C85B0E8DB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213589Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:00.129{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA78F6A36EFD3E201206A6593A7CB12E,SHA256=801515DD1ED06E0943A249FD27ABBF017BCD1B1F3795BEFBE38DF5AE236DFA9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213591Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:32:58.659{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51130-false10.0.1.12-8000- 23542300x8000000000000000213590Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:01.145{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A916A255B220CC6992CD9C8830B9F115,SHA256=8B000BBDEC9428A68492C2813B572FD74CD24AB895CFA510C6FE3A7A8AEEA62B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:01.225{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F85DF96A4D5CF8E53EA4595225F17A5,SHA256=FB85E944B763E586396027D847EC15B777A1B970157BAF6D10FFC90BCFBACF3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213592Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:02.379{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=828DF729EB3487C482B5CDE371FA85AE,SHA256=1B5DDCDFF5BCE862D266B3CA2861B388EE6E6C0A48E789F44EF27E1247F2FB3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.804{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0D5E-6216-8804-000000003802}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.804{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.804{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.804{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.804{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.804{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-0D5E-6216-8804-000000003802}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.804{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0D5E-6216-8804-000000003802}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.805{C8EA50B7-0D5E-6216-8804-000000003802}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000284390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.272{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B40D46DAF436CF912A40B96E2C258A8,SHA256=27A97B146C7407BCAE80EE3F71D0F27951E48F6EF4A7B0B0F1497376CC9BDB1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.257{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4C9374267C661A4FC3924AAF22AFE1F,SHA256=897050DF5506115047AC90B2C94CF95621DD7EC9892CE962A61FED8315AF5872,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.194{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0D5E-6216-8704-000000003802}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.190{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.189{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.189{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.189{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0D5E-6216-8704-000000003802}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.189{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.189{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0D5E-6216-8704-000000003802}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.188{C8EA50B7-0D5E-6216-8704-000000003802}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000213593Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:03.395{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A70A25D41F7A3727D703EF902F8F8C35,SHA256=E9AB6CDCF931BCCC5E80B60D4E9D4D58876A5C93601EA818AFD4C8A35EC03A03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:03.267{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98E6DCE18721CD585C58DB0E5AF44835,SHA256=FB310E87F02158F75F16B237F3E3588626D235A74C496F9755C61B775F455EA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:03.199{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=877169D7318C972019E80A55CBA4FC2E,SHA256=CCFE473A09F8F92068B2A7CF13DA14D5B55F6228BED8CCC4AE8A8362B55312C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:03.199{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB7787397C9E3AB345CF5868ECDB908E,SHA256=CBB6C2D7D0988B455EEEADACD2DD18E7AAD59BDE8959B393E6436B77D817358F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:03.102{C8EA50B7-0D5E-6216-8804-000000003802}36924884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000213594Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:04.410{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFB160DC28FAC6A6D4FC4501EE8460E6,SHA256=9FB4521255807DF072D3F79F013E1B90CC44E1716EF7EB26F28CDEDAFA857AF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:04.603{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=877169D7318C972019E80A55CBA4FC2E,SHA256=CCFE473A09F8F92068B2A7CF13DA14D5B55F6228BED8CCC4AE8A8362B55312C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:04.267{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0D60-6216-8904-000000003802}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000284410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:04.267{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72899BA97A74C29D4CBD9ABF8F76C879,SHA256=FB5EB529052774D8CB3ECEE504C436E4D5B78853958C77531CE383C4F9E9EE38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:04.267{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:04.267{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:04.267{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:04.267{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:04.267{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-0D60-6216-8904-000000003802}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:04.267{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0D60-6216-8904-000000003802}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:04.268{C8EA50B7-0D60-6216-8904-000000003802}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000213595Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:05.598{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BD113B83E0D37E8ACE2F24668DE2FDE,SHA256=D4914A8B20055AC33F1798FFA91BB532CF2EC862E7EBE0FCD18804E818C2BAF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:05.305{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C5CC9888C8A7E1A8BF76E882EAEB391,SHA256=2230EF3AAC6376906FF0065009BF24D2D788AD00ED4B1E468CD4D68D4BD17213,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:03.046{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53171-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000284414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:03.046{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53171-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000284413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:02.644{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53170-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000213596Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:06.614{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=843A35705D6A4F831C027A4A4054C33D,SHA256=D8EDE0F8C51EB1822201E0DC71E9FA9525B6E828F2F7F8B263E46EC5A9EE25FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:06.320{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B620D7B79564DB4FCCB705FC8D138654,SHA256=7EF28B5D2ED93581DB88F4D0EAAE337E57B7808515D74947117C3B86A52BD192,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213597Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:07.614{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=749EF04AE8530265F0F33439654460A6,SHA256=FC503228F9BE23FC38765A8ECEF79A628599C12433DB6D1B82EB521732244CE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:07.352{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59B641F1C45AFAED5765C58D963E1030,SHA256=3BC8A09608942EFDB49A75056A76851070D62AC0E3CABC8C74D1DFDD59CF59E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213599Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:08.629{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1D97881720F5B012A3744BFA28C21C6,SHA256=E1A7705A32EFAF4DE86BD6B25FAB05CC469028BA605557C46B854B655B2BFB16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:08.383{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57C9E358754FFCF9EC3BE1B0E8A1ED59,SHA256=B057B205B762D17B6D3E65BECB608A681ABD9809EB11D775002AFB643952C7F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213598Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:04.643{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51131-false10.0.1.12-8000- 23542300x8000000000000000213600Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:09.645{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E29ACC3E54C20203AFE93AFD2DBA5AB,SHA256=E4B04A4C606FF278062DEAD03DFC846EF5A9EC7E95834AB2DB6EECEF7A7C99A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:09.436{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA60036E1069536C846B6283F11DD3AB,SHA256=09655B3985A4AB667A444A46690E00DFEF9B4C076B3E393DF64A9EDE99B06D55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213601Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:10.754{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1F1B49D6FC16038DA15CE526AC6F78D,SHA256=C214D38A4B830CC9EDA718CBFD77CA350B0D26C81C07C4A9ED4B4BB93D80572B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:10.451{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7488A3205C2CD8EE18E95EB4BEA44D5D,SHA256=488A50070C1472B39B4589CAD98CF66648C92ACC1E1C1FF5BB6BA5083894BF86,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:07.730{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53172-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000213602Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:11.832{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA8843099BF5BB1BCC87989FB97F139A,SHA256=1C789B2E6D656FE3032E998695A1068EFDCC15021E2D0964D7D5E873064DBD5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:11.451{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FD3669352E4EA4F9647BB4D66F34A96,SHA256=105F61BE2F382F2193AAA9B4A2AFFFFB79CCD6C95B14F2312834D37F3A02B879,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:12.466{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F33D18B14B22A444FCECDF792728AF1,SHA256=10ADA8A1EE48D9A94455B58A08914C3547306CC5D7338D1317F0BD3ECDA785E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213603Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:10.628{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51132-false10.0.1.12-8000- 23542300x8000000000000000284425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:13.500{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=156E472F676ECF39BA541A84226BFA0F,SHA256=1D589BCF1C8A6789D223232929C72E70DBE7ACA49E45EC6D98CB3A94655E903A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213604Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:13.051{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94F67B23FF63FDC035471751CF8D1F3E,SHA256=1FC700902AB5ED3E66FE53FAF75B243DBABF88D47395DEF27782F16D88BEEF1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:14.518{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99D1CDBE504843ADE2B31438CB6E1458,SHA256=64BDFE999C5A6E93BB69C31D6AF234C2F14E660E19F29D0D8D1A983EA7361340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213605Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:14.285{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D5A2396832BE32F70F5DE133E6F3C3A,SHA256=45D9925AF5DED69736093D0B7855A7147B4685CD4AA9A17A897C1B1316F30058,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213606Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:15.520{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B70DDBF96C684D8020A93D3A25699646,SHA256=2771FF3DDDE5B1B4AA79EEB9111CB689981279E7EE490BE5ACA0B5279E04B361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:15.538{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=463BB897549F03ABEE6AD16DBB2AEFEF,SHA256=F2B30107D6892DDDF8008BA039638F9117E9D3B0D24DF6D7A91872AD0C04AA28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213607Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:16.613{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCB69A5382FBFA8B1D336A87265368EA,SHA256=0B12E21D71C969A7C8FE6BB3DAA13DA5F712254CC7DC0389CC47C5A010757D9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:16.538{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C82E724323548AE8D118D6FD031286F,SHA256=181D82978EAB5237E565C1C131B12A7C9CA7DB4213A470CAA170926DA38DA43A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:13.712{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53173-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000284430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:17.568{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C34C064DD8CFC49308B3E44ADFCD7B4E,SHA256=22D05F69E37F05765A9ECD57B4C65B2C9CBE751025E2B0D0FCDA0E9C4E250102,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213608Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:17.645{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7ABE88C037B2C76ABD749EFADFC463B,SHA256=2D9E1AA177E22A947A0597677B9E9568421DE9F7A23501B06A6A1EA464DE578D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:18.605{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7083A44DEB8113AABC0130569F0CD3ED,SHA256=E4A5649473347E8154310F44C0975570C2A4B3F96B279BA135A0A2BC743FFA0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213609Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:18.645{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86A46DE1AE06CB8349F3CA73D18DB200,SHA256=7D9CCEB818BEDE91E0F563B245D069964C82F15A5466C2BA333C7C9EFA17F79A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:19.767{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0D6F-6216-8A04-000000003802}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:19.767{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:19.767{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:19.767{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:19.767{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:19.767{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-0D6F-6216-8A04-000000003802}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:19.767{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0D6F-6216-8A04-000000003802}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:19.768{C8EA50B7-0D6F-6216-8A04-000000003802}4496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000284432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:19.636{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CBCEC9E1137D0431707F05733E02569,SHA256=DEC0E2B4F16C34589EC134F8EBC92D7D47BA185F9BA9C6A8061CC34B39DB2463,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213611Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:19.660{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE56F0E781244C2168D19EB58D76C4E1,SHA256=1E0A3612274DE2712B34B37EC7255F67D30DCD55A65A3ECE770AB035E6BCBA96,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213610Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:16.643{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51133-false10.0.1.12-8000- 23542300x8000000000000000213612Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:20.754{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2371C8D1A6F7F1CCE7D917ED01C83180,SHA256=EA43DDCCB87CD9CE9C749B85062D40E8851A2FA85E42A3EAC9BBD5A57C50FEA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.941{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0D70-6216-8C04-000000003802}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.941{C8EA50B7-F11C-6215-0500-000000003802}4122608C:\Windows\system32\csrss.exe{C8EA50B7-0D70-6216-8C04-000000003802}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.941{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0D70-6216-8C04-000000003802}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.941{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.941{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.941{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.941{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.942{C8EA50B7-0D70-6216-8C04-000000003802}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000284453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.771{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2698DAEE11FFC3B336CFBF007E1B0F12,SHA256=29FB3EDD8F25E2CD74896D411399A2F4F880D0A1E4CF9F2E2E3B4E12FF599C5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.771{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=586A8706309D2CF112F31AF4D58EFF3B,SHA256=EC9EDB3ED26A2EC95234409C40C6247EB60340836479BBABB8AC0B76BDF64094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.640{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=760D694830ECAFE1ABC2A4602D1DEC24,SHA256=4E8E1950F33A0A15207318C8B66811E08FFBECA35B89DE0052478D29FEF8AB1C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.592{C8EA50B7-0D70-6216-8B04-000000003802}52405620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.273{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0D70-6216-8B04-000000003802}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.273{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.273{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.273{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.273{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.273{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0D70-6216-8B04-000000003802}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.273{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0D70-6216-8B04-000000003802}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.274{C8EA50B7-0D70-6216-8B04-000000003802}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000284441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:20.028{C8EA50B7-0D6F-6216-8A04-000000003802}44961960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000213613Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:21.770{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5AADD944D4AAB32DF6FFE4D64EC7898,SHA256=29DDFAA43B0E6C916DE7366B64B1A5FABFFB5EA0396232B0614D0135C10DC88B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:21.962{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2698DAEE11FFC3B336CFBF007E1B0F12,SHA256=29FB3EDD8F25E2CD74896D411399A2F4F880D0A1E4CF9F2E2E3B4E12FF599C5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:21.661{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FB0DDC88D78C0226DADEBDF93142926,SHA256=C7CA9A2A78E8829087A3C17402142736267D4790AD70768EC9C816FF5F289534,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:21.530{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0D71-6216-8D04-000000003802}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:21.530{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:21.530{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:21.530{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:21.530{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:21.530{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0D71-6216-8D04-000000003802}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:21.530{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0D71-6216-8D04-000000003802}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:21.531{C8EA50B7-0D71-6216-8D04-000000003802}5652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000284463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:21.287{C8EA50B7-0D70-6216-8C04-000000003802}55242816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000284462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:19.549{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53174-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000284474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:22.676{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E736F05F2250653244AE025AABBB5619,SHA256=BA11D7009E5A54AB69E841BE2A987396C20EFC2AF251C809C493EE89A7EFFA68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:23.677{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F30BE3E9AB07787303B3AE8463EC227,SHA256=67465756B50754F4B32F09594A1FA0B21E5A9729FFF1EF14C672E4C645D3F2CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213614Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:23.004{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C61734FB8B0EE1EFB7B6DF7FACABADC9,SHA256=261B53326B4C8E1AFAC64EFD839E0C281071BEC9CB07ED5985B4F16010875348,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:24.696{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38BE5D6037CEF6A942107582BA3D921C,SHA256=19929E0102B913368E9F9E19A4D0CE8AAAEC4057AB1B58CBE5C5CDA8FD9EE247,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213616Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:22.690{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51134-false10.0.1.12-8000- 23542300x8000000000000000213615Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:24.145{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8882B8C53E5A470C6CED00ED27161925,SHA256=60D7E5FD923C49CA5E71972F85DC8D260942937370F43E371C21ACF60A7AE004,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:25.715{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0EE1F6F551F03F57310AC487424F697,SHA256=D00DDCCCE7FB849C824E0860A7026148596E7D84286EB875ED989F50A5242918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213617Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:25.270{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B415F3B0A2E0E86FC944CB7DC41E13F,SHA256=F2F285DC4F474E1AB2A0C65E031A1E1A0DF060C21DEBE1C4C6881CE2C1C643BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:26.730{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7960D317A6DFEDE29821B085C16CDE8D,SHA256=D60861315191C0A0360A7EE22A481A87917FCBC61F502F07F3149012E44748E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213618Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:26.332{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC67B27C56B11E63C807FDE61938D9A2,SHA256=1987BFBE18F1F92964B9099C7D0D0E501C4C5ADCC6B0D8BAB929501B56EB5577,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213619Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:27.363{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3405E4A9A5834D8E2610ABEFBDBE1284,SHA256=F0CB6B580D0436A129E794E53277BB099D9C6B7B506038615B138873E019AD32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:27.761{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9427FAA5AF78517517C7B2CA66F8798,SHA256=C7FB08C9B2CCC28168481F3AA987D353B74839143E82D8705EA6D20ABD558A23,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:24.724{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53175-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000213620Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:28.598{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A13D5A83189AC545CBB63505899E011,SHA256=A15501CAFA613C3C76DB0BA8BBC03B8BD3F3DEE12BDB8E0A36546BF324E91B71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:28.814{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F57D329888A8DC12DDFD959E54542D2,SHA256=F3FF6A305AA02F7DD3B3229F29A8718A5C66706AAEDF3DFA65C57EAE22DA6D88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213621Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:29.629{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5A8203E27CFB04BA8ED77AB51D578FD,SHA256=3444EB8F7FBE523C6442A9BF3F40483DB933E297FA31E0A40A7383E374C3DD15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:29.829{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=668BAE49510DA1D063B09D8BC875CA39,SHA256=0A1ECC703BA6794D789CCDDC4A66349EB8D16A3F29DB7027BC78B79844B0C0F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213623Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:30.848{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B24BA1E102BB16B38DC67F90FBB13B8,SHA256=EF4D02DA387828D058C4733095EB3ED720ADECADAADF0F9CD36BF89D29571A78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:30.844{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C97F2A486037BAC0D7EE310159881FD7,SHA256=4194AAA62D29502F6CD5C4D8F032CF002D241F6C5C02FC65DF2747C1EF500FDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213622Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:30.223{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C46BB996393CFA04AA8EF499E3649E0B,SHA256=6B97D010943DB8D6473B37496FF1D8246B177162B4FD273C96B0D870EB8FDAA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:31.845{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79DAFB506D0714E9F90BA7C6E02F9A96,SHA256=522625C0B8A7516A142D0FBD4F5CFB7A490FCB993F1A4A0298176786AF7603B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213625Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:31.879{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=713A2901B3968AE43B902F6577BA8FB0,SHA256=43DD89DBD8831713C1D8B87BA7B6688427DBB2C473870669C05EA00CC33525B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213624Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:28.471{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51135-false10.0.1.12-8000- 23542300x8000000000000000213627Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:32.895{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C7EB1EE3ABE973796863AE2B1051DAB,SHA256=26F431FE30A35ADE26C4703E8E0225D4727B1E5E4F42007FED7817357C867274,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:32.861{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A3237461F9F7A78EE3EB8C11C0A1CC2,SHA256=3BF8B4449CF6860C13FC053061F06B32DAF63A2C83C2FEF3032BCF4175530EC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213626Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:32.382{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-117MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213629Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:33.899{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF26D7A3DEF4365A7C394095E5CD13A3,SHA256=40BDCDBC3A5B2B49FC90C04C3CD1DFBE0F4EF84516473E3FE5D3F1D66F9A872D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:33.877{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3886F8E09AEA1FF94D15A68F7E950BF,SHA256=6B3F1303BF63A33DBF4E41E268100952E4E63311B16AA096089F45F46E4B3D08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213628Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:33.381{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-118MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:30.554{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53176-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000284486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:33.230{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B6B1005DE87C92761D8A2945C916F028,SHA256=F166BBB82803136AA36CFC46A917EE6230328CAE4F249EF18E353B3030C6FBDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213630Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:34.899{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D105BBDA343D32C81AF35C582B910E0,SHA256=AAF3BBDC32BE41705A351A7C3B66DC2FFB999C37A2095BE4C466884885F6AAE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:34.895{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DAE19AFFFC0C987A3EBE701F8564070,SHA256=A9899A56D7D3BC0F5BE41E72D969991B2129F610BADF4212908E0080193CE387,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:35.914{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D7F0B0F2DF1E9FB2F87B40012971A4F,SHA256=FFCED3890FEB7AC9A543D00B8D427F40F8E214C493DD801ED74EE60A96CFD3D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213632Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:35.915{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75EAA6AA2B93BB911E855D046476E7BA,SHA256=56D670E7AD8B713F5FB4955A1114D4724007F39E6972EDFF737854127D3ECEFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213631Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:33.586{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51136-false10.0.1.12-8000- 23542300x8000000000000000284491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:36.929{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=843F5D8DCEAFB6C8BC6D17BA7DE1075A,SHA256=1D2CD7BF86B004F837D014A7D10F4F14A2DED2CBE502463B40D1DF4C316C59D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213633Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:36.915{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BF3415B904DE66F70AD7A2088A5CD38,SHA256=C9104D8B6CD74C78A56456F6E34E60309AD1B7A95441001B93159A5995FB21F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213634Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:37.930{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ED79B863CDC45DF421C0596BD6E0930,SHA256=D1098427CB212465AA508C312014B66E56FF7EDE333735F8C23A100384BDA5D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:37.944{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C44241F5C8411864D0D55D13607C74A,SHA256=E28A32F45D72A194E874486918D8EDBF4DB375A87C0740971E7A5DBD0ED55A0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213635Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:38.930{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AAAB004A8050892B69F3B76A466198C,SHA256=C9F913D46A5A2887E1D33B9E32280D2582B1B1E6D53D9DD215C8ECC9F31F9FA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:38.959{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E20AD5D4B019792ED0F9D0808E198EC9,SHA256=0A62E54A6E837B9FC9E6F8F126312467931045E0000E73193829EC8D7E029AF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:39.974{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F6392C03965C8A3B9A5326FDDA6AB64,SHA256=B3FED1F155D76D537DB113C299D0DE8DE2FE2B70264D1ED5FE6C9DF2655C3E61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213636Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:39.946{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12EB513AE56FB68D9CA09DDCD940516C,SHA256=6476BDB5D6AAE71F7B8DCA2BB7FC7FB76B59C2CFFC3247E2AC827E5B57A3D9E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:36.554{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53177-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000284494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:39.374{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213637Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:40.946{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80270E3CB2236D9EFDA3525895F15BB3,SHA256=AE1C692369462CA46DCD9F4933DCFBAC3A0BB1AA394DFDE7D3E040F44E3BD090,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:38.821{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53178-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x8000000000000000284503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:40.558{C8EA50B7-F11D-6215-0B00-000000003802}628792C:\Windows\system32\lsass.exe{C8EA50B7-F118-6215-0100-000000003802}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97022|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000284502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:40.558{C8EA50B7-F11D-6215-0B00-000000003802}628792C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:40.442{C8EA50B7-F11D-6215-0B00-000000003802}628792C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:40.442{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000284499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:40.295{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=6CF9A8767A7C5C3336EAAE94DD7E2785,SHA256=2D8683EA5F0648B85E1F5FE8784B32082818B6C42E179A2E3300CAF5FDC956EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:40.295{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=1A79FAAEC2C81CF6122ECABE22A9AB1D,SHA256=0CDEF564B765EC1044A5FF4DCDC57AAB7D2E3A62E2AA457D2B89C77C9D115552,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:40.295{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=509BA9E1023BD4FC06C0BC8063BA1873,SHA256=39058889EBF7EFBBB5E65F35E8B3268268B6B3E3AD055C0E9BD5623904581A18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213638Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:41.962{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=163C0D5ABB24C946C96CB1F10A628851,SHA256=251FF82C2B9E4A743FCDF0EAFFC41185D60D373B6F788FB114C55F5B9D5B715E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000284512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:33:41.749{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\6FC0DF5C-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_6FC0DF5C-0000-0000-0000-100000000000.XML 13241300x8000000000000000284511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:33:41.749{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BA30863B-E0B8-488B-829D-A0E9DE6AE59C\Config SourceDWORD (0x00000001) 13241300x8000000000000000284510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:33:41.749{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BA30863B-E0B8-488B-829D-A0E9DE6AE59C\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_BA30863B-E0B8-488B-829D-A0E9DE6AE59C.XML 10341000x8000000000000000284509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:41.734{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:41.734{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000284507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:41.481{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91605D5EF26484A5CC8BDE07810C9FA8,SHA256=3FAE13C927B0E96BFA2766D8090A0EEA2B42111ABE3BDCC007D0FA4757854F18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:41.481{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2141B5037A780B4C47BBF6BE113C0B2A,SHA256=6AEF9A806993048A73476EF9FADBDAA20949F1E4D949B76E64485578AC645713,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:41.026{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B43A5CA2675735F57CE9BB0B9B4E788D,SHA256=B4E3779EB1ED37A3A57BD182ABE2647EA86C76B16224F42595976D359EC61220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213640Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:42.977{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=809352B78411411B9F422FB4ADD62EF3,SHA256=210EEF906B8084615165C4414F9ED3A7AAE9AA784865BF15600A8460F48F6068,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213639Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:39.476{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51137-false10.0.1.12-8000- 354300x8000000000000000284526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:40.042{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53183-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 354300x8000000000000000284525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:40.042{C8EA50B7-F118-6215-0100-000000003802}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53183-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local445microsoft-ds 354300x8000000000000000284524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:39.934{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53182-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000284523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:39.933{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53182-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000284522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:39.924{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53181-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000284521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:39.924{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53181-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000284520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:39.924{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53180-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49666- 354300x8000000000000000284519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:39.924{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53180-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local49666- 354300x8000000000000000284518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:39.923{C8EA50B7-F11F-6215-0D00-000000003802}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53179-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local135epmap 354300x8000000000000000284517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:39.923{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53179-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local135epmap 10341000x8000000000000000284516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:42.580{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:42.580{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:42.580{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000284513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:42.033{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD25C2111562C2DE30A1F4FCAC84D13C,SHA256=18289F9F667DE3198FBC1E82B9780E1ECAB784267ABC273E9C9AEE8ADEA10D04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213641Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:43.993{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35CD6F5097DE2098CB2A3A766A228916,SHA256=41654F71F48954D197EC797B066B0467FA442A8E2B2934CEDA1235D0AC817ACD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:42.058{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53186-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000284539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:42.058{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53186-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000284538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:43.582{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91605D5EF26484A5CC8BDE07810C9FA8,SHA256=3FAE13C927B0E96BFA2766D8090A0EEA2B42111ABE3BDCC007D0FA4757854F18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:43.582{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:43.582{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000284535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:41.612{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53185-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000284534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:41.233{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:c830:d833:fbf:ffff-54276-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000284533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:41.233{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local54276-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000284532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:41.214{C8EA50B7-F11F-6215-0D00-000000003802}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53184-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local135epmap 354300x8000000000000000284531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:41.214{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local53184-truefe80:0:0:0:dc9d:9662:799b:139cwin-dc-tcontreras-attack-range-173.attackrange.local135epmap 10341000x8000000000000000284530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:43.419{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:43.419{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:43.419{C8EA50B7-F11D-6215-0B00-000000003802}628824C:\Windows\system32\lsass.exe{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000284527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:43.102{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A8441ABF46E399CA0C24A6CEBB5DE51,SHA256=9FB5373D8D199E9763F815B4A3C42D55030562147C45E90C061816F64B3E64A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213642Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:44.993{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C15BC32284660ED576C70995842C4D0B,SHA256=0CEEF357F21ADF181CD93F758CE1363BA6165945CE7D4B1070A6D2F511A12E31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:44.119{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC3E6E1BA69CDB047A1B08C4BFF1CC69,SHA256=B01CD5892DA465BCD4D61FC9789D8D31B9A77A87B5319319FEB2632BA292A467,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:42.897{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53187-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000284550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:42.897{C8EA50B7-F130-6215-2900-000000003802}3048C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53187-false10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000284549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:45.581{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\pending_pings\bcbbb622-4c3f-4d7b-b8d4-2b13bfb7f68bMD5=02213EC848451B3F02BB7EAF35036FF6,SHA256=DC737F89822027D7EF4E30066E24262565AFD0CF7C2D6AA0992A65A1247D8299,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:45.319{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\aborted-session-pingMD5=4C73FEDBE8618C3D97840B0AD31FBF69,SHA256=0AF8B2A1553B24EC2A7628C57EADDA7E9AEA64E0FAD96CC48957356550F0B542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:45.281{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=EF09B4E57671E707683DE7EF899B69A6,SHA256=1499ABA0A57C7745C0E574A6E415C5CEF9636504DC6E4F1696DF4F787D8C0479,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:45.281{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=F20DE062BBE0C7A8438F39D9B3692106,SHA256=411E9F29A380886B6C2C2EE95C72CCC3E927F996490D65D4E27A1F6D0306CF5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:45.265{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=76B26BBAB7D5A517D3EB8BF01D64988F,SHA256=A30F00BDCE2E73EC9384B8351C30346379D9885C10BAD68945348D0F610A9301,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:45.265{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=5C527EEC583A71E14591C5DA7405CDA0,SHA256=A347A44AA4EC8BEF48EB471E573942DB39AFB240DFCDD19393F475504CD41BE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:45.265{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=B4AD484BBB16EDEB346E10DAABA3FCFD,SHA256=5000C87ACED6E56197FD286C43F2986B9BA756CA42E42D8BE45C6B41C8D9E388,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:45.134{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=558564D174C400FF68B53FACFBAE128A,SHA256=83BC5358AE847BD647BEEEFC0291FFA7346787031D676F1F321274A6161D8FA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213669Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.633{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0D89-6216-E103-000000003902}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213668Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.633{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213667Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.633{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213666Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.633{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213665Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.633{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213664Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.633{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213663Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.633{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213662Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.633{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213661Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.633{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213660Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.633{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213659Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.633{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0D89-6216-E103-000000003902}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213658Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.633{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0D89-6216-E103-000000003902}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213657Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.635{4F8D34B0-0D89-6216-E103-000000003902}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000213656Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.618{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213655Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.133{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0D89-6216-E003-000000003902}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213654Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.133{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213653Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.133{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213652Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.133{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213651Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.133{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213650Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.133{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213649Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.133{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213648Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.133{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213647Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.133{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213646Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.133{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213645Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.133{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0D89-6216-E003-000000003902}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213644Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.133{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0D89-6216-E003-000000003902}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213643Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.134{4F8D34B0-0D89-6216-E003-000000003902}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000284558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:44.834{C8EA50B7-0169-6216-B402-000000003802}4248C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53188-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 354300x8000000000000000284557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:44.833{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local51634- 354300x8000000000000000284556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:44.831{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-65535-false127.0.0.1-53domain 354300x8000000000000000284555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:44.812{C8EA50B7-F130-6215-2E00-000000003802}1748C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-65535- 354300x8000000000000000284554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:44.812{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:98f0:e32b:fbf:ffff-65535-true7f00:1:0:0:0:0:0:0-53domain 23542300x8000000000000000284553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:46.150{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=720756537901EC92A3B48144191076B5,SHA256=4EC2D0AFE97362B4DBC87A8AFAD1DBCAF12581C40587CB2528505DEE695CCDBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213673Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:46.274{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C71EBD123762779D8028010D4D1311CA,SHA256=F2CF8205D19F4AAC870A79BEAFA499ECB32110035761E627091579437CB3F843,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213672Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:46.274{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCC20C3199EB9768BBCB399921A5B41A,SHA256=41EBC140EF14EEDB4F97FBA93F3D91767EC0D4955AFED52B5EDC21B5915AB1BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213671Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:46.274{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65CB46174FDF03152BEF90D67867C3D6,SHA256=DCE20E5C93DBCD2F26EDDF56AA1B80BAB046B9FD6956F4B07A0E29B7093FF488,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:46.118{C8EA50B7-F11D-6215-0B00-000000003802}6281356C:\Windows\system32\lsass.exe{C8EA50B7-F11F-6215-1500-000000003802}1092C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213670Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.993{4F8D34B0-0D89-6216-E103-000000003902}19362452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213701Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.915{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0D8B-6216-E303-000000003902}1172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213700Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.915{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213699Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.915{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213698Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.915{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213697Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.915{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213696Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.915{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213695Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.915{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213694Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.915{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213693Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.915{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213692Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.915{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213691Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.915{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0D8B-6216-E303-000000003902}1172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213690Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.915{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0D8B-6216-E303-000000003902}1172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213689Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.916{4F8D34B0-0D8B-6216-E303-000000003902}1172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000213688Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.415{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0D8B-6216-E203-000000003902}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213687Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.415{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213686Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.415{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213685Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.415{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213684Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.415{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213683Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.415{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213682Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.415{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213681Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.415{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213680Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.415{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213679Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.415{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213678Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.415{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0D8B-6216-E203-000000003902}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213677Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.415{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0D8B-6216-E203-000000003902}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213676Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.416{4F8D34B0-0D8B-6216-E203-000000003902}2740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000213675Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:47.305{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E888848BB31508B8B32C19C398019E70,SHA256=9E18BE101277351F2E412663EA4A1C85FB7B2FF61FFAAB5C30789EA59231B32A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.966{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.966{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.966{C8EA50B7-F11D-6215-0B00-000000003802}628792C:\Windows\system32\lsass.exe{C8EA50B7-F11C-6215-0A00-000000003802}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.966{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.919{C8EA50B7-F11D-6215-0B00-000000003802}628792C:\Windows\system32\lsass.exe{C8EA50B7-0D8B-6216-8E04-000000003802}2268C:\Program Files\Mozilla Firefox\pingsender.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.919{C8EA50B7-F11D-6215-0B00-000000003802}628792C:\Windows\system32\lsass.exe{C8EA50B7-0D8B-6216-8E04-000000003802}2268C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.919{C8EA50B7-F11F-6215-0D00-000000003802}888916C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+f8c6|c:\windows\system32\rpcss.dll+1255a|c:\windows\system32\rpcss.dll+77ac|C:\Windows\System32\RPCRT4.dll+6a428|C:\Windows\System32\RPCRT4.dll+2ef79|C:\Windows\System32\RPCRT4.dll+2ed93|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.919{C8EA50B7-F11F-6215-0D00-000000003802}888916C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+f8c6|c:\windows\system32\rpcss.dll+1255a|c:\windows\system32\rpcss.dll+77ac|C:\Windows\System32\RPCRT4.dll+6a428|C:\Windows\System32\RPCRT4.dll+2ef79|C:\Windows\System32\RPCRT4.dll+2ed93|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.919{C8EA50B7-F11F-6215-0D00-000000003802}888916C:\Windows\system32\svchost.exe{C8EA50B7-F2AF-6215-C200-000000003802}4300C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+f8c6|c:\windows\system32\rpcss.dll+1255a|c:\windows\system32\rpcss.dll+77ac|C:\Windows\System32\RPCRT4.dll+6a428|C:\Windows\System32\RPCRT4.dll+2ef79|C:\Windows\System32\RPCRT4.dll+2ed93|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.919{C8EA50B7-F11F-6215-0D00-000000003802}888916C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+f8c6|c:\windows\system32\rpcss.dll+1255a|c:\windows\system32\rpcss.dll+77ac|C:\Windows\System32\RPCRT4.dll+6a428|C:\Windows\System32\RPCRT4.dll+2ef79|C:\Windows\System32\RPCRT4.dll+2ed93|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.919{C8EA50B7-F11F-6215-0D00-000000003802}888916C:\Windows\system32\svchost.exe{C8EA50B7-F2AD-6215-C000-000000003802}4856C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+f8c6|c:\windows\system32\rpcss.dll+1255a|c:\windows\system32\rpcss.dll+77ac|C:\Windows\System32\RPCRT4.dll+6a428|C:\Windows\System32\RPCRT4.dll+2ef79|C:\Windows\System32\RPCRT4.dll+2ed93|C:\Windows\System32\RPCRT4.dll+142d4|C:\Windows\System32\RPCRT4.dll+14751|C:\Windows\System32\RPCRT4.dll+11a1d|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.882{C8EA50B7-F11F-6215-1500-000000003802}1092100C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.835{C8EA50B7-F11F-6215-1000-000000003802}364764C:\Windows\system32\svchost.exe{C8EA50B7-0D8B-6216-8F04-000000003802}5156C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.835{C8EA50B7-F11F-6215-1000-000000003802}3641376C:\Windows\system32\svchost.exe{C8EA50B7-0D8B-6216-8F04-000000003802}5156C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.820{C8EA50B7-0D8B-6216-8F04-000000003802}51563244C:\Windows\system32\conhost.exe{C8EA50B7-0D8B-6216-8E04-000000003802}2268C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000284607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.820{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=92EB96F584A7057DBF667877AAE18867,SHA256=F36DB29B6900A7B392B2856F3758944EF15A3DC2FB1CF4C514624F043CFEE90C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.804{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-0D8B-6216-8F04-000000003802}5156C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000284605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.804{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\glean\db\data.safe.binMD5=EF09B4E57671E707683DE7EF899B69A6,SHA256=1499ABA0A57C7745C0E574A6E415C5CEF9636504DC6E4F1696DF4F787D8C0479,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.804{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.804{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.804{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.804{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.804{C8EA50B7-F2AA-6215-B100-000000003802}22443360C:\Windows\system32\csrss.exe{C8EA50B7-0D8B-6216-8E04-000000003802}2268C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.804{C8EA50B7-0169-6216-B402-000000003802}42485616C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-0D8B-6216-8E04-000000003802}2268C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Mozilla Firefox\xul.dll+2195b7f|C:\Program Files\Mozilla Firefox\xul.dll+2195995|C:\Program Files\Mozilla Firefox\xul.dll+21959e1|C:\Program Files\Mozilla Firefox\xul.dll+1f97402|C:\Program Files\Mozilla Firefox\xul.dll+1a149ae|C:\Program Files\Mozilla Firefox\xul.dll+1a160f2|C:\Program Files\Mozilla Firefox\xul.dll+1bde499|C:\Program Files\Mozilla Firefox\xul.dll+179ae0c|C:\Program Files\Mozilla Firefox\xul.dll+13b7d2|C:\Program Files\Mozilla Firefox\xul.dll+154551e|UNKNOWN(000001D1D5754AA0) 154100x8000000000000000284598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.808{C8EA50B7-0D8B-6216-8E04-000000003802}2268C:\Program Files\Mozilla Firefox\pingsender.exe97.0.1-FirefoxMozilla Foundationpingsender.exe"C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/telemetry/1868edc7-c857-4cda-bf8d-c3c683167443/event/Firefox/97.0.1/release/20220216172458?v=4 C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\saved-telemetry-pings\1868edc7-c857-4cda-bf8d-c3c683167443 https://incoming.telemetry.mozilla.org/submit/telemetry/7a931ddd-ad59-42aa-8f07-8e0b9ff26739/main/Firefox/97.0.1/release/20220216172458?v=4 C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\saved-telemetry-pings\7a931ddd-ad59-42aa-8f07-8e0b9ff26739C:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{C8EA50B7-F2AC-6215-B31E-0B0000000000}0xb1eb32MediumMD5=02AB913D3540422BFA0A676B861403F0,SHA256=9C14E91757BD1A4F8F2AC4B3F9D6294A8250C8DA03A110D358A6C785B56A273A,IMPHASH=AF27FA7223A9B6FE80447A0E6715E632{C8EA50B7-0169-6216-B402-000000003802}4248C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 23542300x8000000000000000284597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.804{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\datareporting\aborted-session-pingMD5=ACC81F4E82D7168A6C94A58AAF0D5E91,SHA256=7DC13A04E37A10229BE461C7966ABEF55B25379F13034B09D98CD7274DB82685,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.751{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage.sqlite-journalMD5=96BB172370367CCA60870763CC50221A,SHA256=C5799C3480BF879AB36EC359CE2D34F31B2C6F80568EB4E4B303165F6895EEBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.735{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-walMD5=04792AB6DB83E2AD3CA851DDA7DB1E3C,SHA256=4ADA47CC311C530BE18868F0D452AAD291A45F6743C39872FE9F7561127DAA5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.735{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=4B69EABCB44AE2CB38D074D2F5BF014B,SHA256=C886DDB107FC27A4F7323D45D5FC6CA9D22210E29412A78E35F2A0F339F04A04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.719{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\xulstore.jsonMD5=C0AA4F6F7078705CF225CC9703918D17,SHA256=C27A69EBDC4BF33CDA12D758E155B64789F68B2FB69C33694314A7BD7096330A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.719{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.719{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\favicons.sqlite-walMD5=DCA86FF68E85D8F8DA92415B6B773A45,SHA256=FA4A1EF2B7020A639EB1ABAB208BA02F37EF7678E8570EFA7391F193EBB51480,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.704{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\favicons.sqlite-shmMD5=1033E1498707219F197623C123FDD7B5,SHA256=7EB6D6BE30DFDCACC17157C40052B80F96580AF770C5E0DAB07011C7A1615879,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.704{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\places.sqlite-walMD5=6F61353C5EE0409F30B6060E76D164A7,SHA256=8FF922243F76EC40526E716109CA776DBAFCD0C119E5EF207F4F547D3E014952,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.682{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\places.sqlite-shmMD5=031633A3C890A5CB129F2392827367F8,SHA256=C54561CA2E757C1E8DCA0AF8B8BE7E43BB5113E60CDCE839A2B2A240E8EAC72A,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000284587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 10:33:47.650{C8EA50B7-0169-6216-B402-000000003802}4248\chrome.4248.27.10774680C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000284586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 10:33:47.650{C8EA50B7-0169-6216-B402-000000003802}4248\chrome.4248.26.61084029C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000284585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 10:33:47.650{C8EA50B7-0169-6216-B402-000000003802}4248\chrome.4248.25.59240354C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000284584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 10:33:47.650{C8EA50B7-0169-6216-B402-000000003802}4248\chrome.4248.24.118981635C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000284583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.635{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\cookies.sqlite-walMD5=007A4FE2F1859938790B71050EE83E01,SHA256=E36EEB47D52C48FD9AEDDE3FCD018C77429DA7639B53CC1B25D289EE32524DE5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.619{C8EA50B7-0169-6216-B402-000000003802}42485616C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-018A-6216-C502-000000003802}4360C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2bd60|C:\Program Files\Mozilla Firefox\xul.dll+e38a9d|C:\Program Files\Mozilla Firefox\xul.dll+e32cb9|C:\Program Files\Mozilla Firefox\xul.dll+e28dfc|C:\Program Files\Mozilla Firefox\xul.dll+1f97402|C:\Program Files\Mozilla Firefox\xul.dll+1a149ae|C:\Program Files\Mozilla Firefox\xul.dll+1a160f2|C:\Program Files\Mozilla Firefox\xul.dll+1bde499|C:\Program Files\Mozilla Firefox\xul.dll+179ae0c|C:\Program Files\Mozilla Firefox\xul.dll+129873|C:\Program Files\Mozilla Firefox\xul.dll+126c0cc|C:\Program Files\Mozilla Firefox\xul.dll+1be862b|C:\Program Files\Mozilla Firefox\xul.dll+1bdeaf8|C:\Program Files\Mozilla Firefox\xul.dll+179ae0c|C:\Program Files\Mozilla Firefox\xul.dll+1749117|UNKNOWN(000001D1D5751E54) 10341000x8000000000000000284581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.619{C8EA50B7-0169-6216-B402-000000003802}42485616C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-0175-6216-C002-000000003802}5104C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2bd60|C:\Program Files\Mozilla Firefox\xul.dll+e38a9d|C:\Program Files\Mozilla Firefox\xul.dll+e32cb9|C:\Program Files\Mozilla Firefox\xul.dll+e28dfc|C:\Program Files\Mozilla Firefox\xul.dll+1f97402|C:\Program Files\Mozilla Firefox\xul.dll+1a149ae|C:\Program Files\Mozilla Firefox\xul.dll+1a160f2|C:\Program Files\Mozilla Firefox\xul.dll+1bde499|C:\Program Files\Mozilla Firefox\xul.dll+179ae0c|C:\Program Files\Mozilla Firefox\xul.dll+129873|C:\Program Files\Mozilla Firefox\xul.dll+126c0cc|C:\Program Files\Mozilla Firefox\xul.dll+1be862b|C:\Program Files\Mozilla Firefox\xul.dll+1bdeaf8|C:\Program Files\Mozilla Firefox\xul.dll+179ae0c|C:\Program Files\Mozilla Firefox\xul.dll+1749117|UNKNOWN(000001D1D5751E54) 10341000x8000000000000000284580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.619{C8EA50B7-0169-6216-B402-000000003802}42485616C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-0174-6216-BF02-000000003802}3332C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2bd60|C:\Program Files\Mozilla Firefox\xul.dll+e38a9d|C:\Program Files\Mozilla Firefox\xul.dll+e32cb9|C:\Program Files\Mozilla Firefox\xul.dll+e28dfc|C:\Program Files\Mozilla Firefox\xul.dll+1f97402|C:\Program Files\Mozilla Firefox\xul.dll+1a149ae|C:\Program Files\Mozilla Firefox\xul.dll+1a160f2|C:\Program Files\Mozilla Firefox\xul.dll+1bde499|C:\Program Files\Mozilla Firefox\xul.dll+179ae0c|C:\Program Files\Mozilla Firefox\xul.dll+129873|C:\Program Files\Mozilla Firefox\xul.dll+126c0cc|C:\Program Files\Mozilla Firefox\xul.dll+1be862b|C:\Program Files\Mozilla Firefox\xul.dll+1bdeaf8|C:\Program Files\Mozilla Firefox\xul.dll+179ae0c|C:\Program Files\Mozilla Firefox\xul.dll+1749117|UNKNOWN(000001D1D5751E54) 23542300x8000000000000000284579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.619{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\cookies.sqlite-shmMD5=8AFDC709E073C996DDE9813C4964F305,SHA256=92770B7CFF0D6AF92CC6F7AAE2A1861A841FF63FAA8DE72C3FE8891E71942210,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.619{C8EA50B7-0169-6216-B402-000000003802}42485616C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-016A-6216-B702-000000003802}1800C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2bd60|C:\Program Files\Mozilla Firefox\xul.dll+e38a9d|C:\Program Files\Mozilla Firefox\xul.dll+e32cb9|C:\Program Files\Mozilla Firefox\xul.dll+e28dfc|C:\Program Files\Mozilla Firefox\xul.dll+1f97402|C:\Program Files\Mozilla Firefox\xul.dll+1a149ae|C:\Program Files\Mozilla Firefox\xul.dll+1a160f2|C:\Program Files\Mozilla Firefox\xul.dll+1bde499|C:\Program Files\Mozilla Firefox\xul.dll+179ae0c|C:\Program Files\Mozilla Firefox\xul.dll+129873|C:\Program Files\Mozilla Firefox\xul.dll+126c0cc|C:\Program Files\Mozilla Firefox\xul.dll+1be862b|C:\Program Files\Mozilla Firefox\xul.dll+1bdeaf8|C:\Program Files\Mozilla Firefox\xul.dll+179ae0c|C:\Program Files\Mozilla Firefox\xul.dll+1749117|UNKNOWN(000001D1D5751E54) 11241100x8000000000000000284577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.619{C8EA50B7-0169-6216-B402-000000003802}4248C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\SiteSecurityServiceState.txt2022-02-22 11:23:49.748 23542300x8000000000000000284576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.619{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\webappsstore.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.619{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\SiteSecurityServiceState.txtMD5=DFAF67DAB625DDFE875EEB684D6DCEA5,SHA256=BF72D23ABF4C5791D620A82A961015B42B05BB47FA92B116B4356A44F3F2918B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.603{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.582{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-0169-6216-B402-000000003802}4248C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000284572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 10:33:47.582{C8EA50B7-0169-6216-B402-000000003802}4248\chrome.4248.23.34576852C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000284571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-CreatePipe2022-02-23 10:33:47.566{C8EA50B7-0169-6216-B402-000000003802}4248\chrome.4248.22.57848119C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000284570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.566{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\sessionstore-backups\recovery.jsonlz4MD5=F4AD3687A0E1A9F87CECC38268B77689,SHA256=45B20C6622535B7A2AAA292680172E098BCC5D245B7C6A5C91DFF4AFE43DDFEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.566{C8EA50B7-0169-6216-B402-000000003802}4248ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\sessionstore-backups\recovery.baklz4MD5=AC30B39212B38CAA30C47558287D4CA8,SHA256=DC2142694DDCD4E84B6708A81E41E8FF3E5B9C0C300266283816A3549B19A711,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.535{C8EA50B7-0169-6216-B402-000000003802}42485616C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-0171-6216-BE02-000000003802}5264C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2bd60|C:\Program Files\Mozilla Firefox\xul.dll+e38a9d|C:\Program Files\Mozilla Firefox\xul.dll+e38528|C:\Program Files\Mozilla Firefox\xul.dll+840734|C:\Program Files\Mozilla Firefox\xul.dll+834311|C:\Program Files\Mozilla Firefox\xul.dll+19c76f6|C:\Program Files\Mozilla Firefox\xul.dll+19c6153|C:\Program Files\Mozilla Firefox\xul.dll+168ec17|C:\Program Files\Mozilla Firefox\xul.dll+1f97402|C:\Program Files\Mozilla Firefox\xul.dll+1a149ae|C:\Program Files\Mozilla Firefox\xul.dll+1a160f2|UNKNOWN(000001D1D5772FAA) 10341000x8000000000000000284567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.519{C8EA50B7-0169-6216-B402-000000003802}42485616C:\Program Files\Mozilla Firefox\firefox.exe{C8EA50B7-016A-6216-B702-000000003802}1800C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2bd60|C:\Program Files\Mozilla Firefox\xul.dll+e38a9d|C:\Program Files\Mozilla Firefox\xul.dll+e38528|C:\Program Files\Mozilla Firefox\xul.dll+840734|C:\Program Files\Mozilla Firefox\xul.dll+834311|C:\Program Files\Mozilla Firefox\xul.dll+19c76f6|C:\Program Files\Mozilla Firefox\xul.dll+19c6153|C:\Program Files\Mozilla Firefox\xul.dll+168ec17|C:\Program Files\Mozilla Firefox\xul.dll+1f97402|C:\Program Files\Mozilla Firefox\xul.dll+1a149ae|C:\Program Files\Mozilla Firefox\xul.dll+1a160f2|UNKNOWN(000001D1D5772FAA) 10341000x8000000000000000284566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.419{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-F33D-6215-E300-000000003802}4920C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.419{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-F33D-6215-E300-000000003802}4920C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.419{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-F33D-6215-E300-000000003802}4920C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.403{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F33D-6215-E300-000000003802}4920C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.403{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F33D-6215-E300-000000003802}4920C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.403{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F33D-6215-E300-000000003802}4920C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.403{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F33D-6215-E300-000000003802}4920C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000284559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.150{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E213DB1E63BBB5B73B83737A63A516E,SHA256=A177A502595D5CC551F178514F5C579E8C7BD92D6FA4E3B554AFE7BC00857B08,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213674Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.039{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51138-false10.0.1.12-8089- 23542300x8000000000000000213705Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:48.555{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9007C5B4EF97C0ACC31BDE30B373DB66,SHA256=04A01841278B26068CABE3637FF72D563D5151AA96CB54471B4F826C83611B12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:48.972{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=147BF6AED78C90D4E8729782945B89A2,SHA256=4014BD6EA7EC1755A05C5079ABEFA9A3CFDC1FF52AD643FD05FFEF4B5D667E2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:48.972{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=FDEE84B7B4903F583BE8368BC20B2BE8,SHA256=A38E570B807ACE277043BF35EDFFDA978C57FA07A211BF4AD8653937634DE931,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:48.816{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1FD42EABDC9CBFA38D9DCC5F2EC54E5,SHA256=DDE8C407FBD46C41EB061EACDC81D5F66C1A111546FC5484330C41CBB85FE8EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:48.816{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1467D21D6FC55E3855EA46B70B0CF364,SHA256=4F5BDBBF3B2B8BF16A150706B7979B7A78ED9B0D3F8F777525EE636E0DBA4043,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:48.457{C8EA50B7-0D8B-6216-8E04-000000003802}2268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\pingsender.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\saved-telemetry-pings\7a931ddd-ad59-42aa-8f07-8e0b9ff26739MD5=03FC511A460342CD4DEFA581F767DF39,SHA256=2C27BC12A0779B892912C7A11C7BA1EEB29E7F5926F963BE674214512220BAC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284625Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:48.238{C8EA50B7-0D8B-6216-8E04-000000003802}2268ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\pingsender.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\yap1cmsg.default-release\saved-telemetry-pings\1868edc7-c857-4cda-bf8d-c3c683167443MD5=A52B87F27ACAD5B5FD356CF64E6370C7,SHA256=78F1FEA1C3D6ADAA352E8D8082491FD7B3FB62A6A8FEB3A5BB2553D7BBCBCAD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:48.238{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73CF47D03B906CECCC19BC169FE2F225,SHA256=434418EFB8238DD765AF641E28BC24D55DBCC19AE3B1BC2C966C5EC0E403E002,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:48.222{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CCC0447FD4B279FA8C12FB02A3670EE,SHA256=13B14485AF0921F60EAD1DBB6D765F2DC69229F1D3C363F8D08409AA50AA20B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213704Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:48.415{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C71EBD123762779D8028010D4D1311CA,SHA256=F2CF8205D19F4AAC870A79BEAFA499ECB32110035761E627091579437CB3F843,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213703Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:48.165{4F8D34B0-0D8B-6216-E303-000000003902}11722372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000213702Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:45.508{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51139-false10.0.1.12-8000- 10341000x8000000000000000213733Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.946{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0D8D-6216-E503-000000003902}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213732Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.946{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213731Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.946{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213730Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.946{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213729Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.946{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213728Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.946{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213727Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.946{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213726Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.946{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213725Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.946{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213724Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.946{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213723Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.946{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0D8D-6216-E503-000000003902}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213722Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.946{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0D8D-6216-E503-000000003902}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213721Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.947{4F8D34B0-0D8D-6216-E503-000000003902}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000213720Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.680{4F8D34B0-0D8D-6216-E403-000000003902}5283928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000213719Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.602{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C1B44C3FFB67009091EB632DAB08C72,SHA256=DD55CCE0A4F2C592CB06198861DF212EDC4002DE13422BAAD7225423F78D768E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.576{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53190-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000284631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:49.238{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=747FAAE672B17B5CFD28210C7BDE930D,SHA256=AD2D9D0264D923DF1CA827206FC86FE1F8D4C404E5086D8C04E3446A3456733C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213718Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.321{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0D8D-6216-E403-000000003902}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213717Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.321{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213716Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.321{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213715Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.321{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213714Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.321{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213713Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.321{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213712Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.321{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213711Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.321{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213710Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.321{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213709Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.321{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213708Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.321{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0D8D-6216-E403-000000003902}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213707Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.321{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0D8D-6216-E403-000000003902}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213706Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:49.322{4F8D34B0-0D8D-6216-E403-000000003902}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000213736Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:50.618{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=414FDB35BD8396E6BED848380DAFF9C7,SHA256=5AD19CA7F576DD0F944EB93063A2DACA6FE9945E4468E64253BCF52995044379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:50.992{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\respondent-20220223083251-117MD5=A38EB58E8C6680789F1AEA0022EC0210,SHA256=7B5C3F2ACD9B17C99423AC4BB2B0CFD455B3A71F8C48567BF2A051FF8E6D4921,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:47.485{00000000-0000-0000-0000-000000000000}2268<unknown process>-tcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53189-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 23542300x8000000000000000284633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:50.363{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F7610EFF5CC28630008B50EF5F9CC9F,SHA256=4419CD3CED76D605EB454047487ABA881D183F430736A12B70441431457C66D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213735Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:50.321{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32CBE314A5B30CFBA83BCC2D4F37F53A,SHA256=C530B6F80BF08990DA0E3D78CC3F34137BD3E2B84CD1443A43C6456B6929AEE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213734Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:50.180{4F8D34B0-0D8D-6216-E503-000000003902}32642680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000213750Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:51.759{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3D1000277002A405017334A8904A92B,SHA256=E7DCCBA68A65AA8DFFE868130AB6E95D80BCBDADA963EF99F0D036820153371F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:51.421{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16696309BC2A0F5639B24993197260DF,SHA256=97E3CDF9B0B23514907E0E185CA112C0CF392987BA9D3BEB65B2F8C13F91A429,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213749Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:51.649{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0D8F-6216-E603-000000003902}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213748Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:51.649{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213747Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:51.649{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213746Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:51.649{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213745Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:51.649{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213744Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:51.649{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213743Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:51.649{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213742Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:51.649{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213741Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:51.649{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213740Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:51.649{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213739Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:51.649{4F8D34B0-F11B-6215-0500-000000003902}412532C:\Windows\system32\csrss.exe{4F8D34B0-0D8F-6216-E603-000000003902}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213738Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:51.649{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0D8F-6216-E603-000000003902}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213737Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:51.650{4F8D34B0-0D8F-6216-E603-000000003902}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000213752Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:52.961{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDFA7F77C1CD733C2E43B97A8149E8E1,SHA256=FB5C42B41A9E4BA23974A01B17ACE928FE24178DF64E945E7A768FC2683832D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:52.435{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68CEFB775DAA0D31A75F53122BFA2B4F,SHA256=C41BCACD405DE02A5259F4AA98DA587BE68903CC014A4BE5B3CEE50629DCDD7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213751Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:52.680{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F75FF7BD0B5767A1F384F4E7D6427C60,SHA256=3A2EC0C39E605E5789E567EE34DC6325F3664DBF91358958DD957CF63D28C896,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:52.294{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1FD42EABDC9CBFA38D9DCC5F2EC54E5,SHA256=DDE8C407FBD46C41EB061EACDC81D5F66C1A111546FC5484330C41CBB85FE8EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:52.000{C8EA50B7-F130-6215-2F00-000000003802}2588NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03cdc2690a17b3e8a\channels\health\surveyor-20220223083249-118MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:53.438{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8FFCBCDF4D0D217130F91966875BEC4,SHA256=B8AF624765579AC8FC4ADF342A59E24D0DB7C69FA31CA1E28A18862EDD296A8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213753Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:50.586{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51140-false10.0.1.12-8000- 23542300x8000000000000000284648Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:54.438{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0AEA4E94855B61FF884CB291CF03917,SHA256=A3DAF815D941FD59BDECBCD40934699429710DC0FD905A4EC5B47AC6F3EF483E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213754Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:54.024{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA9E8808DDE04CF4D3051DEC76430770,SHA256=B7E67A16AD55C3346FB4B7E7B7D0892E50BA2900B3FC87FA6E1814ACD8BC00E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284647Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:54.328{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-F674-6215-5C01-000000003802}6072C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+63325|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284646Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:54.328{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-F674-6215-5C01-000000003802}6072C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6323e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:54.328{C8EA50B7-F2AD-6215-C000-000000003802}48564340C:\Windows\Explorer.EXE{C8EA50B7-F674-6215-5C01-000000003802}6072C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63207|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15450f|C:\Windows\System32\windows.storage.dll+15328f|C:\Windows\System32\windows.storage.dll+15622f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:54.313{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F674-6215-5D01-000000003802}5016C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+617df|C:\Windows\System32\SHELL32.dll+639b0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:54.313{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F674-6215-5D01-000000003802}5016C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47d70|C:\Windows\System32\SHELL32.dll+6396c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:54.313{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F674-6215-5D01-000000003802}5016C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61a34|C:\Windows\System32\SHELL32.dll+63940|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:54.313{C8EA50B7-F2AD-6215-C000-000000003802}48565012C:\Windows\Explorer.EXE{C8EA50B7-F674-6215-5D01-000000003802}5016C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000284650Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:53.525{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53191-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000284649Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:55.453{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D04C94E411871ED6B1CA25D97C497CE6,SHA256=740C7743163741DE9D5778AD5AF96DA17881426CB51961AD6622D44B1705625E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213755Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:55.055{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DC6A87C8249DBA52179246F31B67E71,SHA256=5EF8721993161A1F478602D862CB47AA88BB90757276B943DEA1D2ED154B07D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284651Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:56.485{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ACF4248C3D66884CA38D5D2907BBFC8,SHA256=DB2E9EAF89ED41CDD9A1FFAB1FFF1CC7E3424AA3122C0BE5350551F0516B8014,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213756Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:56.071{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C9EDC6B42BA9130C8976DD5E4FFA348,SHA256=5AE31FA1197C771F737FA56F28BAEC8BEE2684A5812579DAC37FF283C585F0D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284652Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:57.500{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC14D49F085471F29083C365AE03FF68,SHA256=27F9C88A26BE42CADC19F32482D308E0B80FF852EFA8D7F6A8350A69E8FA6C44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213757Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:57.086{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03A51BA5E73B2471020C283476355402,SHA256=E5B007D0F226B1F42723770C1FCF73D6F84B6E102BC10859806F2AAD358B5CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284653Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:58.516{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D36EA80F58A808F31FB98DA0DB3F329,SHA256=1B7780BD1B5C5C08747B74051E80D2501F304AF7E7E2FAFDE77606C30BE31797,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213759Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:56.570{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51141-false10.0.1.12-8000- 23542300x8000000000000000213758Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:58.164{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDDFE71553BFDCCE1B8C4A9C9D25F461,SHA256=B3266343250AD0B30DC9F38F5CDBEECD26610F8A9BCF891318976066021928EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284654Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:59.532{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BCBCDFF5EF4A163678F385812FBA338,SHA256=D957BA13EA3BAD25EB013A71301A5222EC5729F05483FCB9A220C4436263E8D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213760Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:33:59.336{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C83031637DBBBE9E6F569177AECAD29,SHA256=26BE057E691CE8F46B569D0A3B13B0BBCD4BB2CB9C62FFDD7DA4D2E466D1CD02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284655Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:00.594{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE1C897CCEFB4632A947EDD27D271DB7,SHA256=D3E11BD07A9EE0F47C54103E6A68D81457282EBC169B7FAF07576D44F044EC29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213761Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:00.399{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A951DDDC0B4D74588A7989CF79B2599,SHA256=86E0F5E98841F28400DCFC01CE342AA73B6233750F960B9B0125780EC930C795,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213762Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:01.618{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=700BE90845FBD8A7C6FABE66DFF0CDD9,SHA256=C0F2631E87EB548A770565490FE71E49C5B652492D5A04E523CE0CE41A7E7722,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284656Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:01.594{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B4A4529B0CBE5767A579A511FD3374C,SHA256=9BA20F0313943067CFDCC8C1ED7E23E1E6B88A940AF8DC8104521ECD390A3DED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213763Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:02.633{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31BD56641D40CECB499EDCF6286841D3,SHA256=3A9A7D5F9B4249B8535E6E16C3DBB6B8DAF17A2FFBC27990C1296FE4DB95CA9C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284675Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.703{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0D9A-6216-9104-000000003802}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284674Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.703{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284673Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.703{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284672Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.703{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284671Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.703{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284670Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.703{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-0D9A-6216-9104-000000003802}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284669Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.703{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0D9A-6216-9104-000000003802}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284668Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.704{C8EA50B7-0D9A-6216-9104-000000003802}964C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000284667Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.610{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20D1795096C473241CAFAAC2A40DDB5E,SHA256=27FC5D157BC3E9049222CFCE5002804044B6088504CF16BF803B6CBC38706E2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284666Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.453{C8EA50B7-0D9A-6216-9004-000000003802}43645864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284665Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.188{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0D9A-6216-9004-000000003802}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284664Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.188{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284663Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.188{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284662Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.188{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284661Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.188{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284660Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.188{C8EA50B7-F11C-6215-0500-000000003802}412428C:\Windows\system32\csrss.exe{C8EA50B7-0D9A-6216-9004-000000003802}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284659Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.188{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0D9A-6216-9004-000000003802}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284658Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:02.189{C8EA50B7-0D9A-6216-9004-000000003802}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000284657Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:33:59.556{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53192-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000213765Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:03.727{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1C13A158A9A07521AE50D754D176F02,SHA256=8C8416AF54B70BE9ABDBDFB0537D99A37DF746A17705EB616DA2AED2E0B5C50D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284678Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:03.688{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37863969DC8F7356BDDCC892BB40B4FD,SHA256=81A0CEB0BD930E7F3FC5311088C1D6671F60BC70F1FF7B1303CD9EAF93E4B7F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213764Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:01.601{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51142-false10.0.1.12-8000- 23542300x8000000000000000284677Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:03.203{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3833AB64C1038153AE483919B6885FCB,SHA256=798718CAC6A0E6D9F54EFE6DAEFEDDE7E332177EE47F3B338BB0F32DA2C3A2EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284676Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:03.203{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94C217D1BB3E5963A0DF12D4DC173C82,SHA256=D739C3B76CA5E47CA22FC558A77934D920B5DA1231EFEAB227AE34E001D4B784,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213766Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:04.946{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C49EEAD991FF382CB772A5CC4637C678,SHA256=4AC147D8B93F079B56932A32D70060F834BD310657738961AB8A3319CE34400C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284688Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:04.703{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F003663400F72ABF14F121ACBCED1604,SHA256=E93F800BF3AE349B673EFA9B5ED0E2544EB7BFC8B5AFBFC8CD0FECF69C1E0476,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284687Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:04.610{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3833AB64C1038153AE483919B6885FCB,SHA256=798718CAC6A0E6D9F54EFE6DAEFEDDE7E332177EE47F3B338BB0F32DA2C3A2EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284686Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:04.266{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0D9C-6216-9204-000000003802}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284685Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:04.266{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284684Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:04.266{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284683Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:04.266{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284682Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:04.266{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284681Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:04.266{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0D9C-6216-9204-000000003802}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284680Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:04.266{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0D9C-6216-9204-000000003802}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284679Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:04.267{C8EA50B7-0D9C-6216-9204-000000003802}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000284691Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:05.704{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73CD9E7EBCE003F4C23F5B30A3D68229,SHA256=93E53DB727C201D982787B86F390E8AE12508C3D0E2A02861F9C46A486715CBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284690Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:03.057{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53193-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 354300x8000000000000000284689Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:03.057{C8EA50B7-F130-6215-2C00-000000003802}2420C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local53193-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-173.attackrange.local389ldap 23542300x8000000000000000284692Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:06.719{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E6D0DFBB6EA121E791159DB4E8A98B0,SHA256=5F902F8E8EB9DC0C10FAC35EC2AA4227C5AFBB908FA3D9FEB4F135C26B9F868E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213767Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:06.180{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0262F55DB8BD5C3F8E883C53832DB4E,SHA256=34E81ECABA457B03B5B99D8B77A247D51436CB2F42EADBDE63E1793D48F42AF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284693Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:07.735{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D1A792175F323DCBA269D91202B6D1A,SHA256=85319A8AE61C00A093B9C4B221520FDE49E708F7D016806704AB4CAC05F8B5A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213768Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:07.258{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12EE3277EEA1C9279AC50AEA2FE47C38,SHA256=E2693EBDB68693B9FCDFEF50C6F6800709797D5B0ED413762820CB397E8F6959,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284695Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:08.766{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25C87799BC33F49295CB9E065848EBD6,SHA256=C65A00053876CA5FE726A993E80AEF4DB8C24453BE19BF0D0E8A9F70189E66C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213770Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:06.601{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51143-false10.0.1.12-8000- 23542300x8000000000000000213769Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:08.258{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A47D6B856B0F73D4302F11A86884FC7,SHA256=3FB0E35F346F28B4395833F3F0C3A83F31EECE51F89E5C2480FBBBC06EE7FA6B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284694Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:05.619{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53194-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000284696Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:09.782{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E12F73C2BDB54088B8CCEBD61DA2C6F,SHA256=AB3810700C437ABEFC84D66721EBF01F7FC6A60D9A675F9FF7DF3F177B6324B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213771Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:09.274{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=438AE0399929C0EE12D538DCB04FBF36,SHA256=31701BB564FFB4B8B4CDAF0C61B704EC535445301F1877E831E50A42AB2AB2A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284697Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:10.813{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7A457742B937EAF2F1FA3B810F9744D,SHA256=CC5FCDC312BE6439687590708F53D90EDA073EF3BB935D17832201752A9E4CCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213772Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:10.290{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5345D2AB6472EA633CDA4A3483B1B2DC,SHA256=F4F962B5640A1442E3BEF02590094475E23C5506775160DF9455F7093E51A500,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284698Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:11.828{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8CD7D2F2D14B8D73AEEF4F3AEFB87F5,SHA256=D6329745D18C9F7F589DA819C35C9ACC472087FA95DA908FFC65BDA8ACA8B774,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213773Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:11.539{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99ACC410DA31BA2733D7C469D2EA9C45,SHA256=5B58AC895A9DF6AF8B4364DC4744EDDAE4C708178E3BE2549853D1FE9A00D79B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284699Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:12.860{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F24D2F2A3705FD727CCB45BAA578DA88,SHA256=059839087619AB777DAD8F63D4FE4BCF7C65B025916E8D25C5B3A2FC7C1CCDFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213774Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:12.539{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9845CC71D36DEDAA1834B42ED741B8D7,SHA256=CFD6F09DB8ED8975CF2A27701DD213BFD0E4A4F2ACE52066CAA5E488F09F028F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284700Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:13.875{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0A5DD684955A75B4BD6F16693BB8A1F,SHA256=B52AE2C1CEB32566B7EB2F9D4C4803F968E4B67FFA0BEEDEB6AEE31F961A2206,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213775Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:13.664{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=471D5D1633C750262B7F9A000A343BEB,SHA256=E5B04BECA4B7D8DED7654FA42B7EDC6D42555E2039DC09618E5929677C810B5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284702Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:14.891{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=345505C795E5C9EAA0BC0A1242C78950,SHA256=F09D541D6A44455296DCDEEEA60849F7CF9ACC525468C295A3E1CC75C80437C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213777Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:12.648{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51144-false10.0.1.12-8000- 23542300x8000000000000000213776Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:14.742{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04782E1AB3EA715D20EB965B57A27A3A,SHA256=2CDA3A39AB0657B013FF86A870C299C539F8BA16A9B1B975F6971749BD73C8E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284701Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:11.541{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53195-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000284703Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:15.907{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E28248668883C8CF6A9C6B6E1F194CCA,SHA256=8C628099E2D8BCD112AB485AC2591C7D364EDA3E44A8070DD6820C39112744B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213778Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:15.789{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7C8E3F11BDF85A566A71F2DF9DF39D6,SHA256=EE8D21E2BAE81C14B42FC7A48BA9EF33F42A6FA0570778D3DD2511DD0A9E28A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284704Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:16.923{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A96B04A11B21906ACF6850BB288E0E6,SHA256=D60A7D3482C9058CC8D1C18EB70933718F14035018484F9FF5A11170F2C4FDBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213779Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:16.805{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF030374AA3777C299A439E2D08FDDF4,SHA256=46D6F8823295C6B8D90FA9CD6D1D10CC0CE07C1DEAD5A261411CFA6843D36376,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284705Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:17.969{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EC8DBF1F41CF3EE3FB6D16662190036,SHA256=7CF29E640F630B3D78D85930F0DC592AF1F0EA8F9AD0669CBD15967DFF5322BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213780Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:17.836{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BB6E0A685FF23823E236B2CEE49C222,SHA256=9D711217E715F1F14ED012C06340C9686915EC0E2885909B759D91C021A66435,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213781Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:19.055{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E855A446D98005BF6B458CA6519A649,SHA256=C21F564744215CF4E78E5CC23D1D5F928323D73BE0E2C9DB65F6AAA83F7CD67F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284715Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:16.728{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53196-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000284714Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:19.766{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0DAB-6216-9304-000000003802}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284713Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:19.766{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284712Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:19.766{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284711Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:19.766{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284710Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:19.766{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284709Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:19.766{C8EA50B7-F11C-6215-0500-000000003802}412368C:\Windows\system32\csrss.exe{C8EA50B7-0DAB-6216-9304-000000003802}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284708Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:19.766{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0DAB-6216-9304-000000003802}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284707Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:19.767{C8EA50B7-0DAB-6216-9304-000000003802}5164C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000284706Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:19.016{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=637125A336FA152C6F8338DE38626318,SHA256=EA136A72FE8DB2A05F518E9CADD433CBDEFC05FB44165873A4E575E63C04D7A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284728Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:20.813{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D87EF74F352C87D9EB9C459AF242EE6E,SHA256=F1A9EDADD41B123FF2048EA1AB78453BFDF68012A22DD421DAD90DE0DD06FAE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284727Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:20.813{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD57A866B355F3CE25B7E8D703B49E2A,SHA256=EC6BC6177E0619EB67E062C16B01B8A8062C4AD2FCD3E1185E53C0D65663B6A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284726Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:20.610{C8EA50B7-0DAC-6216-9404-000000003802}61126028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284725Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:20.407{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0DAC-6216-9404-000000003802}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284724Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:20.407{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284723Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:20.407{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284722Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:20.407{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284721Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:20.407{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284720Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:20.407{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-0DAC-6216-9404-000000003802}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284719Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:20.407{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0DAC-6216-9404-000000003802}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284718Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:20.407{C8EA50B7-0DAC-6216-9404-000000003802}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000284717Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:20.157{C8EA50B7-0DAB-6216-9304-000000003802}51645968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000284716Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:20.048{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F8DA5D1193E1C45705208625D48B5B2,SHA256=E3441001A0228FA4BB9C43EBD7E2C6E0F779CCB38DDC1B337AA82E0E82066BE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213782Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:20.086{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64596C99F52F5CF1002C525EA1559789,SHA256=3082D441016FF274743F0565396FB9B73FF5DBF1F5FB4B593E8E9E19C07D550D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284746Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.578{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0DAD-6216-9604-000000003802}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284745Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.578{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284744Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.578{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284743Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.578{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284742Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.578{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284741Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.578{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-0DAD-6216-9604-000000003802}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284740Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.578{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0DAD-6216-9604-000000003802}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284739Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.579{C8EA50B7-0DAD-6216-9604-000000003802}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000284738Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.391{C8EA50B7-0DAD-6216-9504-000000003802}47765596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000284737Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.188{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D53AE1CDE1C19B7A390FAAA0FF0073B,SHA256=A8B4E2FE6D3B475FBF691A22F9A569C60666D83AC2502FFA369B920A849472C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213784Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:21.102{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C075EC087669F795016595D60706069A,SHA256=49826B9A652E3904DBECC2C9BFC0DB180031E74C5CCB69F9BA81914E70154EAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000284736Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.078{C8EA50B7-F132-6215-3800-000000003802}34843504C:\Windows\system32\conhost.exe{C8EA50B7-0DAD-6216-9504-000000003802}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284735Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.078{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284734Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.078{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284733Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.078{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284732Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.078{C8EA50B7-F11F-6215-0C00-000000003802}8285152C:\Windows\system32\svchost.exe{C8EA50B7-F130-6215-2A00-000000003802}3060C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000284731Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.078{C8EA50B7-F11C-6215-0500-000000003802}412528C:\Windows\system32\csrss.exe{C8EA50B7-0DAD-6216-9504-000000003802}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000284730Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.078{C8EA50B7-F130-6215-3000-000000003802}25121124C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{C8EA50B7-0DAD-6216-9504-000000003802}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000284729Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:21.079{C8EA50B7-0DAD-6216-9504-000000003802}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C8EA50B7-F11D-6215-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000213783Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:18.526{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51145-false10.0.1.12-8000- 23542300x8000000000000000284748Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:22.188{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D3248FC1DADDD538BB66FB8E48BA546,SHA256=2F5560F0DECB56BA52F844EBF3748965CFD35F36F564B186D55C3E1CAD3D10F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213785Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:22.133{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A616AF98908CC34CCA349A480E7D2FE7,SHA256=1D84FA2EBE032D3FA17E3963F55307130BCD3D0082A40A639DA74C05A47EC786,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284747Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:22.094{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D87EF74F352C87D9EB9C459AF242EE6E,SHA256=F1A9EDADD41B123FF2048EA1AB78453BFDF68012A22DD421DAD90DE0DD06FAE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284749Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:23.219{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C7781F16D8F53C687B13A22C1E36FA9,SHA256=0D449E55C07014ADDD3C20329E93FF1BAED512D011018483B7069101404112F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213786Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:23.148{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=617AF2FB2CB9501FC72BAF562B79CBC3,SHA256=FCA6ACB27343096DB6F7D2042F9B56EFC4EE7E4B6BF491F857E0F77E0E3C1F50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213787Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:24.305{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BF572AF45565DFBA546184A41D4E86A,SHA256=4CAB7AF6FE56E101A60251811A957E1E50B067116CDDFAC1CA24C38B05D1FBFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284751Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:22.713{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53197-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000284750Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:24.235{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65550F40FB9A03D58BA6500B8B6478A0,SHA256=B587FA26D9C217429E8F0D0EA457F1339A8164AAA37579999E31032E98EF4E30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213788Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:25.305{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE5E02B54A3841FEB30F9A508953452E,SHA256=FBDFDC6035FDA9EC6042C45B1246289067076E7941CD1A69B7631200577EA9FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284752Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:25.250{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50108D0E27129EA7D13E81F951853105,SHA256=CF40D3459ED64172C2912FB873108268F4EFFCB5ABDFB7C1E78496DE0499B646,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000284763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:34:26.625{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000284762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:34:26.625{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006fc0b4) 13241300x8000000000000000284761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:34:26.625{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d82898-0x8c61bf09) 13241300x8000000000000000284760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:34:26.625{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d828a0-0xee262709) 13241300x8000000000000000284759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:34:26.625{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d828a9-0x4fea8f09) 13241300x8000000000000000284758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:34:26.625{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000284757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:34:26.625{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x006fc0b4) 13241300x8000000000000000284756Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:34:26.625{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d82898-0x8c61bf09) 13241300x8000000000000000284755Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:34:26.625{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d828a0-0xee262709) 13241300x8000000000000000284754Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-SetValue2022-02-23 10:34:26.625{C8EA50B7-F11D-6215-0B00-000000003802}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d828a9-0x4fea8f09) 23542300x8000000000000000284753Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:26.313{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=803F6357D67BEFCAAABD27F7BDD10E4A,SHA256=A11F5C229118789C5CA32A62494B263367504DEE845664130DEDF257172BBAB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213790Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:26.445{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDC002A07810ACCB7A3ACB4BEFE527F1,SHA256=2849666E2C064E1AA2E8C33F90015EEA6A90C568CDE141B0FC8977E854C2C48C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213789Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:23.601{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51146-false10.0.1.12-8000- 23542300x8000000000000000284764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:27.344{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADEB9F54CC4DF539F180A2C91BEB0ACE,SHA256=B895616F0AD425BCD87E8B694A625C5100516F350A65B7B93EE2CAA598E6595E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213791Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:27.539{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7F0A902D6AE0E4F04CB471109A48229,SHA256=999405761F2D94281FA9F084F3ADF0CFAFF005A6672F2FF08587DC6E294B6EFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213792Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:28.617{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4EE354C68EF61C3941EC4F656A8E887,SHA256=5723DAE72D85E27C0AEAAE4E1D102A860EE6B076818E6719C40250F2DA214AC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:28.375{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4224A3D62FD9682EF181FB9750C518BF,SHA256=27BD203C25EACEB74042297C96B3E449302D73678FA15AC4E4C42B9859639B5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213793Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:29.851{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=366D96282691FB55CC71FBBE93CCC055,SHA256=1D1D8A80255A334DAF86F3D1297F14F3AF1647A831DD85A8E99D1C9A7980DFC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:29.391{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C9F293D2EEBFD6D240C06D2AF90BD45,SHA256=265FEF3B6CCE30C31109DFF2BDE8E43E574AC66A724B233E57B9752C76127DB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:30.407{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3580A54B43562C9F00076D667ACF0D86,SHA256=6C9A7FD1A83A540105C494D6110E237CC765A3A8F0B14424B32CBD378A0F9E61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213794Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:30.226{4F8D34B0-F11C-6215-1100-000000003902}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1B97DEBAC50C64816EC8CCE33F01F0E9,SHA256=64F11EC89E0B4014545488D52421E47D566DC5B70BECEBCC711CFA4A66BD9C26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:31.422{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89439459EC8B99AB0864AC8223E45D1E,SHA256=596CD267742E1ECBB88E7951C756D1BAEB8186D670E645E25EA744669046FD36,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213796Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:28.649{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51147-false10.0.1.12-8000- 23542300x8000000000000000213795Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:31.070{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56912E1419C92DBD8E46946A504A0BA2,SHA256=DC0F962F7A8370C1EE628BDA5A5F24B34DFAC563CFCB68F73545E573E918DED1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:28.650{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53198-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000284770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:32.438{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57D2F91D3B632D088F6507562CDF23FB,SHA256=086F1C374B841F900993891E437E45E5879B45AD52687D8981D7ABC6823EC0FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213800Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:32.680{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1300-000000003902}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213799Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:32.680{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1300-000000003902}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213798Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:32.680{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11C-6215-1300-000000003902}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000213797Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:32.164{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B61D60D78E2DBB13D10393D337129F8,SHA256=4E98B798B60B723F306B5C9083B8812CB52110240621A82D42A142C2C85AB6B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:33.453{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9E217CF9D1F2778CC7B5CC62BB8D242,SHA256=D2DE7EE8B80193AFF8B2A65978DBB5E0D5D5C93CD885AE56C1564F48E93C8B7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213802Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:33.886{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\respondent-20220223083233-118MD5=7840F8D654EED3E7C6FA395A9E23FA56,SHA256=FC4C38DACEF1698268BE802A03907A00216EAC67FA531AF20528DD4173FB9624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213801Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:33.195{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EA4F6A2E812A64DF41D09410F4092EA,SHA256=04364FA32F8F3AB5F8D4806C43E90220750D736A22062E893219B6E5E6F67B43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:33.235{C8EA50B7-F11F-6215-1300-000000003802}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E0803E8C6D3735EBDDE96162444763DE,SHA256=134A867B65C75440F836FDBB6E102B36B7E421DC0A3155FB4DAB9C8567D97D79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:34.532{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48AAF63CFF87500D0784B4DBC3C6F76B,SHA256=D5AD83EDD765E698C230089B7F5B959F1B53A810D42AF080DE603989126AC891,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213804Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:34.885{4F8D34B0-F11D-6215-1D00-000000003902}1876NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-04ffbe17aee3fbf0d\channels\health\surveyor-20220223083230-119MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213803Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:34.197{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CF53E71AC2A9696AD68E5DA1AD63C99,SHA256=E9A0C017F6ACABB8C90B702EF11455AD1F029F2EA5B467974CA929ACEB87F1F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:35.547{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC43127BEB6FD1C10D0B479BA6F3315A,SHA256=09D5FCD4FF28B1A6CC15EFDC03D9DEA90E9E1C515B080B4E6CC7E0549678893D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213806Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:33.666{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51148-false10.0.1.12-8000- 23542300x8000000000000000213805Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:35.227{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B33CEC8D6CB6C1B739A01894BBEDF64,SHA256=246D7FE53E11F1C592B0808CE6F3C88A33B6011E214BF738ACB5BCDD9FE5F5BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:36.563{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE111C508A6BC5EFEF44F1E51BDC1657,SHA256=1FA912166F5B6514D942E5498A33E348C04D6A70292579FE1E5EFF3415A235A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213807Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:36.229{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=587A3A3B68DBB046B5FBEC6A756DDA87,SHA256=480ECF9985C53BB57E794164B9CB8AF8D89EF525699CB89D51066A21BA2C4B0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:33.697{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53199-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000284777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:37.750{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=797268CE048E3D1D0F8EB2AFB4ABC6C0,SHA256=641EC8BF47FBAD40D1FCDCAB526D421F8BC1AAFE5A9BF8D92829BCFD4D3B62A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213808Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:37.464{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21BC15096342D9594B8EAC747469E562,SHA256=F338EC3A9C405D70273BA60AD3F1EA7D4293C2C65D4AC573B9DC323A4F6098FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:38.797{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29FD5B202C97A80F1C34F0FF3DA9696F,SHA256=A9CF5CEC689F46076ABAD7E1790FBED2908C8DDB50F9BF9A4497DC36F7D6EBA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213809Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:38.573{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4113CBBC9781F7FDC8EF1722F2BD368,SHA256=CF1557328EF5BC5FDF48B601693478724D96ABCA7B4FB3B82B7596400A2DD9A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:39.891{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79D4F3C03F780218CC186535E07736BC,SHA256=1CC8899FC314425446D91277FF4D33157C007CF0EBD2D1B2BD50CC7459000421,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213811Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:39.745{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADBCEE19E2C87DB7AC4D69E932CD39AD,SHA256=14030F1D6D6553A51B2CA4A36567932880883920CB94B30E73B45758149AA96C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:39.391{C8EA50B7-F130-6215-3000-000000003802}2512NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213810Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:36.308{4F8D34B0-F11C-6215-1100-000000003902}980C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:ad4f:96:d14b:8b64win-host-tcontreras-attack-range-985.eu-central-1.compute.internal546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 23542300x8000000000000000213812Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:40.792{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF27597E39E25933402E448F248C374F,SHA256=990A820CA9EF287255A653ECBFB3EF0E4A0794D4EA167EE5BD51E800731323F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:40.891{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC9D04F6D5E835A7BDAE63D4DAF1BEAB,SHA256=3B4CD80186777134F85C1880B0738BE4568D1F3C9BBFA6AADC6E4FABA1BCC63E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:38.697{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53200-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000284785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:41.985{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5B8B9A08F706F175B1A31446D52E987,SHA256=55350443B95B160E30F3A1FBE145CDB5D5EDCD1F3D700D32C8865B9EC5DBCE12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213814Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:41.839{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DF0D5F45315BFF8E60FC89103179447,SHA256=9007ECF105BC55F49E143FBBBC6E8ACA02D0BBC36C3EC9519B19EA1E9A94BE78,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213813Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:39.448{4F8D34B0-F12B-6215-5B00-000000003902}3916C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-985.eu-central-1.compute.internal51149-false10.0.1.12-8000- 354300x8000000000000000284784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:38.854{C8EA50B7-F130-6215-3000-000000003802}2512C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53201-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x8000000000000000284783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:41.422{C8EA50B7-F11F-6215-0D00-000000003802}8883340C:\Windows\system32\svchost.exe{C8EA50B7-F11F-6215-1000-000000003802}364C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000213815Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:42.854{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7F85DB444C7A90AD01BB5C2ED680BAE,SHA256=9D58E7FA1D97DCAC3CE9ED34E5FEA1B98C050767DF417126542C36869E04FB72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000213816Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:43.932{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBDFC821F35F5B8238ECF470CF361560,SHA256=6DB7839717B2F59C577C9A01CB5EDDE30916D5A149E2B67FAF2B6A5F4EC06B5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:43.000{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3F0373E7537EDA797D09F59DBC02775,SHA256=782C42767B85FBB375FD56938D61A72609898A148A8E7C7A72048ECC7ED44582,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:44.016{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01516A5425A25F2B222C3B7D0FC749C9,SHA256=D90083D9A32AC72D162AA38C07F56B23E0B84A29465C6A676F290E60466D029A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000284788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:45.032{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3F00616092076C75C30AC23D66CCFD8,SHA256=3A70D5B1394B7328D7B244B983E6018BA9CFA4E7BC1624C84C0F79630858B84D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213844Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.823{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0DC5-6216-E803-000000003902}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213843Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.823{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213842Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.823{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213841Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.823{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213840Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.823{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213839Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.823{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213838Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.823{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213837Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.823{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213836Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.823{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213835Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.823{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213834Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.823{4F8D34B0-F11B-6215-0500-000000003902}4121208C:\Windows\system32\csrss.exe{4F8D34B0-0DC5-6216-E803-000000003902}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213833Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.823{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0DC5-6216-E803-000000003902}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213832Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.824{4F8D34B0-0DC5-6216-E803-000000003902}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000213831Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.636{4F8D34B0-F11D-6215-2300-000000003902}2036NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=C796F5788518CF0F57AB5C87207C5D14,SHA256=0CE7095FECB35749AB15D15586D728EDDAEC94009FC3FB4FCEDC790B064FF951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000213830Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.151{4F8D34B0-F11E-6215-2B00-000000003902}27842804C:\Windows\system32\conhost.exe{4F8D34B0-0DC5-6216-E703-000000003902}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213829Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.151{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213828Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.151{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213827Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.151{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213826Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.151{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213825Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.151{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213824Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.151{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213823Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.151{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213822Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.151{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213821Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.151{4F8D34B0-F11C-6215-0C00-000000003902}7283600C:\Windows\system32\svchost.exe{4F8D34B0-F11D-6215-2100-000000003902}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000213820Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.151{4F8D34B0-F11B-6215-0500-000000003902}412428C:\Windows\system32\csrss.exe{4F8D34B0-0DC5-6216-E703-000000003902}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000213819Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.151{4F8D34B0-F11D-6215-2300-000000003902}20363828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{4F8D34B0-0DC5-6216-E703-000000003902}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000213818Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.152{4F8D34B0-0DC5-6216-E703-000000003902}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{4F8D34B0-F11B-6215-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{4F8D34B0-F11D-6215-2300-000000003902}2036C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000213817Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985-2022-02-23 10:34:45.089{4F8D34B0-F133-6215-6C00-000000003902}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA4AA3B87D98E229ADC3D196C6A4A748,SHA256=2B0FCD20EBE522BFA04D8955BD2F746B7A42B7307B2F105F0987600F0DFC0BB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000284790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:44.666{C8EA50B7-F13C-6215-6E00-000000003802}3696C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-173.attackrange.local53202-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000284789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-173.attackrange.local-2022-02-23 10:34:46.188{C8EA50B7-F144-6215-7700-000000003802}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A132FB2FDCE729D0EBFBEC082264246,SHA256=9B34915A9B29D07292938AF68F12F1FB6DA07CF662D74B31342E4ADFFAE4D68C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000213849Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-985<